oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: OpenSSH key blacklisting

From: Kees Cook <kees () outflux net>
Date: Mon, 19 May 2008 13:26:36 -0700
On Sun, May 18, 2008 at 04:06:55AM +0400, Solar Designer wrote:

Also, aren't protocol 1 keys 1024-bit RSA only, even with the latest
ssh-keygen?

Then, is it just one set of vulnerable 1024-bit RSA keys for both
protocols - or is it two sets?


Yes -- in the tests I did, RSA1 and RSA keys shared the same modulus,
so RSA1 is covered by the same blacklists.  RSA1024 is in the
openssh-blacklist-extra binary package in debian.

As for other corner-cases, DSA2048 weren't generate-able[1] with a broken
version of ssh-keygen, so I've been considering publishing an _empty_
DSA2048 blacklist, just so that ssh-vulnkey will report DSA2048 as "safe"
instead of "unknown".

-Kees

[1] dsa was forced to be 1024 for a while now:
$ ssh-keygen -f /tmp/foo -t dsa -b 2048
DSA keys must be 1024 bits


-- 
Kees Cook                                            @outflux.net
Previous By Date Next
Previous By Thread Next

Current thread: