Karanbir Singh wrote: > Dag pointed out that Suse is also considering setting up a blacklist of > this nature. I dont mind looking at something like this within CentOS if > someone wants to make a case for it. Would it be better to just have > some tool ( Daniel already brought that up! ) that could audit setups > instead of running such a blacklist ? The problem is that the tools I know only look for broken ssh keys (dowkd.pl, ssh-vulnkey) and none of them address other problematic areas like certificates, dnssec-keys (although Lutz Donnerhacke mailed all people running zones with broken keys) and so on. If you take a look at <http://debian.wideopenssl.org/> there are so many applications which might have broken keys even on non-Debian systems that I think offering a tool for just ssh keys might give people a wrong sense of security, if they don't find broken ssh keys on their machines. Ralph
Attachment:
pgpjK9CVxgjAk.pgp
Description: PGP signature
_______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos
