Re: Misc development news (#8)

To: debian-project@lists.debian.org
Cc: Steve Langasek <vorlon@debian.org>
Subject: Re: Misc development news (#8)
From: Peter Palfrader <weasel@debian.org>
Date: Sun, 1 Jun 2008 09:15:19 +0200
Message-id: <[🔎] 20080601071519.GJ30148@anguilla.noreply.org>
Mail-followup-to: Peter Palfrader <weasel@debian.org>, debian-project@lists.debian.org, Steve Langasek <vorlon@debian.org>
In-reply-to: <[🔎] 20080601001950.GB18965@dario.dodds.net>
References: <20080530185202.GE20197@ouaza.com> <20080531222122.GA10366@dario.dodds.net> <20080531225024.GI30148@anguilla.noreply.org> <[🔎] 20080601001950.GB18965@dario.dodds.net>

On Sat, 31 May 2008, Steve Langasek wrote:

> > People submitting known bad keys to ldap and stuffing those in their
> > authorized_keys files also.  What else did you think it meant?
> 
> I have no idea, because I don't understand why the above would warrant a
> policy change wrt authorized_keys.  Surely, known bad keys could already be
> dealt with using the blacklist support that was published as part of the
> DSA, so why would we need to disable authorized_keys altogether when there's
> support for handling this in the server itself?

Those blacklists are hardly exhaustive.  Hardly anybody seems to get
that their old DSS keys, if ever used once on a broken libssl are now
all bad.

Also note that until recently we didn't run debian's sshd at all, so
blacklist support is not something we could rely on.

-- 
weasel

Reply to:

Follow-Ups:
- Re: Misc development news (#8)
  - From: Philip Hands <phil@hands.com>
- Re: Misc development news (#8)
  - From: Steve Langasek <vorlon@debian.org>

References:
- Re: Misc development news (#8)
  - From: Steve Langasek <vorlon@debian.org>

Prev by Date: Re: KDEquestion
Next by Date: Re: Misc development news (#8)
Previous by thread: Re: Misc development news (#8)
Next by thread: Re: Misc development news (#8)
Index(es):
- Date
- Thread