Re: Misc development news (#8)
On Sat, 31 May 2008, Steve Langasek wrote:
> > People submitting known bad keys to ldap and stuffing those in their
> > authorized_keys files also. What else did you think it meant?
>
> I have no idea, because I don't understand why the above would warrant a
> policy change wrt authorized_keys. Surely, known bad keys could already be
> dealt with using the blacklist support that was published as part of the
> DSA, so why would we need to disable authorized_keys altogether when there's
> support for handling this in the server itself?
Those blacklists are hardly exhaustive. Hardly anybody seems to get
that their old DSS keys, if ever used once on a broken libssl are now
all bad.
Also note that until recently we didn't run debian's sshd at all, so
blacklist support is not something we could rely on.
--
weasel
Reply to: