[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Misc development news (#8)

On Sat, 31 May 2008, Steve Langasek wrote:

> > People submitting known bad keys to ldap and stuffing those in their
> > authorized_keys files also.  What else did you think it meant?
> I have no idea, because I don't understand why the above would warrant a
> policy change wrt authorized_keys.  Surely, known bad keys could already be
> dealt with using the blacklist support that was published as part of the
> DSA, so why would we need to disable authorized_keys altogether when there's
> support for handling this in the server itself?

Those blacklists are hardly exhaustive.  Hardly anybody seems to get
that their old DSS keys, if ever used once on a broken libssl are now
all bad.

Also note that until recently we didn't run debian's sshd at all, so
blacklist support is not something we could rely on.


Reply to: