On Friday 30 May 2008 07:39:08 [EMAIL PROTECTED] wrote:
> I personally don't like the idea of generating keys that people will
> try, or using a weak/known key with small probability, but in this
> case I think it's so small that simply scanning for and banning such
> keys is good enough.
>
> I was hoping someone would release a tool to search for them in the
> authorized_keys files on any OS (e.g. my OpenBSD box), but AFAIK,
> nobody has.
In the debian (+ubuntu+...) case, their package updating machinery now brings
in a black-listing package that essentially blocks the use of host keys or
user keys that match the "Debian Weak Key Space"(tm). I believe there's also
a tool in there to scan - ah, found it. This is from the blacklist README;
To check all keys on your system:
sudo ssh-vulnkey -a
To check a key in a non-standard location:
ssh-vulnkey /path/to/key
Though there is some note in their README to the effect that this isn't 100%
bullet-proof, ie. a weak key might not be detected as such. I'm not sure why
though, if they were really only hashing the PID then you have to figure that
the affected keys are a distinctly finite set. Perhaps the issue is
64bit-vs-32bit and endianness platform variations. In any case, if in doubt,
regenerate, grumble, and move on.
> I certainly don't want a kluge to the RNG...
Indeed, I've seen one RNG kludge so far this year, and that was one too
many ...
Cheers,
Geoff
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
