Re: Misc development news (#8)

[Philip Hands <phil@hands.com>]

On Sun, Jun 01, 2008 at 09:15:19AM +0200, Peter Palfrader wrote:
> On Sat, 31 May 2008, Steve Langasek wrote:
> 
> > > People submitting known bad keys to ldap and stuffing those in their
> > > authorized_keys files also.  What else did you think it meant?
> > 
> > I have no idea, because I don't understand why the above would warrant a
> > policy change wrt authorized_keys.  Surely, known bad keys could already be
> > dealt with using the blacklist support that was published as part of the
> > DSA, so why would we need to disable authorized_keys altogether when there's
> > support for handling this in the server itself?
> 
> Those blacklists are hardly exhaustive.  Hardly anybody seems to get
> that their old DSS keys, if ever used once on a broken libssl are now
> all bad.
> 
> Also note that until recently we didn't run debian's sshd at all, so
> blacklist support is not something we could rely on.

While this is initially for our (DSA's) benefit, in that it makes applying
global changes easier, it's also for user's benefit.  -- compare the
effort required to ensure that there are no copies of a key (that was
on a stolen laptop, say), on every debian host you _might_ have copied
it to, to the effort of sending a single mail and knowing you're done.

If there's some reason that you want specific keys to only give access
to specific hosts, and if the reason justifies the effort, I suppose it
would be possible to come up with a way of tagging which hosts any
particular key should give access to in LDAP -- is that why you're
worried about the loss of this feature?

In short, having had our hand forced into turning authorized_keys off, we
find that that is a better state to be in, so we're leaving it that way.
(in fact disabling authorized_keys had been suggested before but we had
no compelling reason to do it, if we had done so the post-SSL cleanup
would have been significantly less effort).

Cheers, Phil.