2008/8/24 Axel Thimm <Axel.Thimm@xxxxxxxxxx>: >> On Sat, Aug 23, 2008 at 04:37:13PM -0500, Jeffrey Ollie wrote: >> > The primary reason is that it's nearly impossible to tell if the key >> > was generated on a Debian system with the compromised OpenSSL >> > versions. > > OK, I checked and it is far from impossible. After all the bug was > that there are only 32k possible keys per arch/size/type - Debian has > even issued blacklists for all keys of typical und some untypical > sizes like 1024/2048/1023/2047/4096/8192 and for some sizes they even > packaged it up, see > > http://packages.debian.org/unstable/main/openssh-blacklist > http://packages.debian.org/unstable/main/openssh-blacklist-extra > > If there is paranoia floating around, then why not use that blacklist > in Fedora/RHEL as well instead of nuking all DSA keys and still > allowing the bad RSA keys? > All RSA keys were nuked too. > And if your are really paranoic then one can package up these > blacklists for general use by Fedora/RHEL's openssh. I don't know if > openssh has a blacklist-reject ability already coded in, though. No it does not. -- Stephen J Smoogen. -- BSD/GNU/Linux How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. "The Merchant of Venice" _______________________________________________ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
