Re: Re: [CentOS-announce] Impact of the Debian OpenSSL vulnerability

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

On Sat, May 17, 2008 at 12:25 PM, Ralph Angenendt
<ra+centos@xxxxxxxxxxxx> wrote:
> If you take a look at <http://debian.wideopenssl.org/> there are so many
> applications which might have broken keys even on non-Debian systems
> that I think offering a tool for just ssh keys might give people a wrong
> sense of security, if they don't find broken ssh keys on their machines.

People often mistake tools for facts. Just like rootkit detection
utilities, people should realize that key detection is just a tool to
assist with finding obvious compromises. I think it is ok, to provide
one of these detection tools through the -extras repository, as long
as it is made clear in the documentation what it detects, what it does
not detect, and whether there is a chance of having false-positives.

Wrt. fingerprint-based blocking in OpenSSH:

- What does our upstream think about this?
- What do the OpenSSH developers think about this?

I think a general scheme for blocking certain public keys might be
useful, even outside this specific case. But I am not sure it is a
good idea to make/use vendor-specific extensions.

Take care,
Daniel
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux