On Fri, Jul 31, 2009 at 11:31 AM, Steve Grubb<sgrubb@xxxxxxxxxx> wrote: > On Friday 31 July 2009 04:42:12 am Frank Murphy wrote: >> I think what is meant, it that the app is useless, without either >> web\media input. Which the user should not have to do to take full >> advantage of it. > > I think this is a bit like virus definitions. It's more akin to a bad password list. > 800Mb is excessive to ship in a > package. I think the definitions could be created by a script, but will take > some time to generate. Maybe adding a generator for people not connected would > let them recreate the content? > > But a 800Mb package is bigger than the livecd. What?! Openssh-blacklist is a list of bad keys that could have been generated by the debian lack of entropy bug. In it should be a couple of text files: A DSA key file, and an RSA key file for each of a couple common key sizes. Each file should have 100k lines or so with just a fingerprint on them.. all in all it should just be a couple of mbytes. It looks like that distribution also includes the full public and private keyparts for the bad keys in addition to the fingerprints. That isn't needed for bad key screening— that additional info is only really needed by attackers. After the vulnerability I screened the accounts on my systems and found a couple of these bad keys just from giving my ubuntu/debian running friends access to rsync data, so this is a risk for fedora users too. Not only should this install without requiring a live internet connection but these, or at least a subset with the most common key sizes, should really be part of the default ssh install along with the feature in SSH that causes it to refuse to use these keys. -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
