https://bugzilla.mindrot.org/show_bug.cgi?id=1469
Summary: Should sshd detect and reject vulnerable SSH keys (re:
Debian DSA-1571 and DSA-1576)
Classification: Unclassified
Product: Portable OpenSSH
Version: 5.0p1
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: sshd
AssignedTo: bitbucket@mindrot.org
ReportedBy: davee@ceu.ox.ac.uk
Debian/Ubuntu have added additional components to their openssh-*
packages which detect (and, on the server side, reject) vulnerable SSH
keys as a result of the broken random number generatation.
http://www.debian.org/security/2008/dsa-1571
http://www.debian.org/security/2008/dsa-1576
Given that such vulnerable keys might have been uploaded to *any*
ssh-running OS, should similar detection be built into openssh
directly? It would seem odd that as a result of this vulnerability
becoming public that Debian and Ubuntu sshd servers are (once updated)
*more* secure than those running on other OSes, because the Debian and
Ubuntu servers now reject attempts to connect with those vulnerable
keys.
I've done some searching around this bugtracker and mailing list
archives, but can't even find *discussion* of this issue.
Alternatively, please tell me why such a modification to openssh would
be a really bad idea - I can then refer to this bug in other contexts
explaining why it isn't going to be done :-)
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
Summary: Should sshd detect and reject vulnerable SSH keys (re:
Debian DSA-1571 and DSA-1576)
Classification: Unclassified
Product: Portable OpenSSH
Version: 5.0p1
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: sshd
AssignedTo: bitbucket@mindrot.org
ReportedBy: davee@ceu.ox.ac.uk
Debian/Ubuntu have added additional components to their openssh-*
packages which detect (and, on the server side, reject) vulnerable SSH
keys as a result of the broken random number generatation.
http://www.debian.org/security/2008/dsa-1571
http://www.debian.org/security/2008/dsa-1576
Given that such vulnerable keys might have been uploaded to *any*
ssh-running OS, should similar detection be built into openssh
directly? It would seem odd that as a result of this vulnerability
becoming public that Debian and Ubuntu sshd servers are (once updated)
*more* secure than those running on other OSes, because the Debian and
Ubuntu servers now reject attempts to connect with those vulnerable
keys.
I've done some searching around this bugtracker and mailing list
archives, but can't even find *discussion* of this issue.
Alternatively, please tell me why such a modification to openssh would
be a really bad idea - I can then refer to this bug in other contexts
explaining why it isn't going to be done :-)
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs