Re: OpenSSH key blacklisting

["Gustavo De Nardin (spuk)" <gustavodn () mandriva com>]

* Solar Designer <solar () openwall com> [2008-05-16 21:18 +0400]:
> Hi,
>
> Are any other distros, besides Debian, Ubuntu, and derived ones, going
> to implement key blacklisting in OpenSSH - or are considering it?
>
> We are considering it for Openwall GNU/*/Linux, and if our effort would
> be reused by others, or if others join us in developing and/or testing
> the patch, this would be a reason for us to go for it.
>
> I don't think we'll take the Debian/Ubuntu patch as-is.  Rather, we are
> likely to use a trivial binary encoding/compression method for the
> partial fingerprints.  We'd also use smaller partial fingerprints.  With
> the approach I have in mind, it'd take around 4.55 bytes per key to
> store 48-bit partial fingerprints, bringing the installed file size for
> 3 arch types and 2 key types/sizes in under 1 MB (or just over 1 MB for
> 3 key types/sizes).

If this is going to be accepted as a more general solution, it'd be good to
allow also for local, admin-maintened, blacklists, not just upstream
maintened (and automatically updated).