Re: [SECURITY] [DSA 1576-1] New openssh packages fix predictable randomness

[CaT <cat@zip.com.au>]

On Wed, May 14, 2008 at 07:33:43PM +0200, Jan Luehr wrote:
> >    To check all your own keys, assuming they are in the standard
> >    locations (~/.ssh/id_rsa, ~/.ssh/id_dsa, or ~/.ssh/identity):
> >
> >      ssh-vulnkey
> 
> I took a look at it and found two large blacklist containing lots of keys - 
> but no info on how these lists are generated - that makes me wonder:
> 
> Afair DSA keys ought to be considered compromised, even if they aren't 
> generated by a broken libssl - so what's the sense in here?
> 
> For the RSA part:
> Is it possible that file contains non-broken keys or that broken keys are not 
> listed? What's the criteria for RSA-keys to be listed?

Indeed. After all the hassle I went through to make sure I'm sorted I'm
now lumped with two lookup lists which might generate false positives
and are just generally useless. I can't even not install the package
because it's in the Depends line rather then Recommends or Suggests or
whatnot. :/

-- 
  "Police noticed some rustling sounds from Linn's bottom area
  and on closer inspection a roll of cash was found protruding
  from Linn's anus, the full amount of cash taken in the robbery."
    - http://www.smh.com.au/news/world/robber-hides-loot-up-his-booty/2008/05/09/1210131248617.html