Re: openssl-blacklist & two keys per one pid
* Jan Tomasek:
> This is good argument. When I was trying to secure my systems from
> weak SSH keys. I decided to use ssh-vulnkey and build blacklists by
> myself from work of H D Moore. I do not trust dowkd.pl script because
> it lacks info where keys were taken.
We did not want to publish this information in order to give system
administrators at least a tiny bit of lead in patching and reconfiguring
their systems.
> It also reported 0 weak keys even if there were keys of rare length, I
> presume unknown to dowkd.pl. I agree that there is need to have tool
> which everyone can easy verify.
Yes, this was a serious issue in the user interface, but it has been
fixed in the meantime.
> If Debian or Ubuntu Security teams are interested I can share private
> keys with them, but publishing them on web really isn't good idea.
For me, dowkd-compatible fingerprints are enough in most cases. Only if
there is a discrepancy (perhaps due to a random bit flip), we might need
the keys for comparison.
Reply to: