On Wed, May 14, 2008 at 10:22:11PM -0400, Ted Unangst wrote: > On 5/14/08, Ben Calvert <[EMAIL PROTECTED]> wrote: > > On May 14, 2008, at 5:22 PM, Darrin Chandler wrote: > > > Are you sure that's a decent analysis? If you have a non-debian system > > > with the full number of keys available, what are the chances that you've > > > landed on one of the 32767 keys? Not very likely. So that analysis seems > > > alarmist and sensational to me. > > Because nobody would ever run ssh-keygen on their ubuntu desktop and > copy that to authorized_keys on another computer.
Sure. Lots of those keys out there already. So is something like ssh-vulnkey the right approach? I do have a couple of users on one of my boxes. Mind, they're all good OpenBSD people and I really hope their keys didn't come from a debian box. It'll be nice to find out that the keys are ok. -- Darrin Chandler | Phoenix BSD User Group | MetaBUG [EMAIL PROTECTED] | http://phxbug.org/ | http://metabug.org/ http://www.stilyagin.com/ | Daemons in the Desert | Global BUG Federation
