Re: Plans to deploy openssl-blacklist in Debian? (was: Re: ssh-vulnkey and authorized_keys)
On Thu, May 15, 2008 at 09:31:25PM -0300, Felipe Augusto van de Wiel (faw) wrote:
> Speaking about that, are there plans to deploy
> openssl-blacklist in Debian as an official package?
I'd be happy to get the Ubuntu blacklists into Debian -- honestly I
haven't had time yet (travelling, Ubuntu responsibilities, etc).
Given the sizes of the various blacklists, I'd like to perhaps provide
multiple packages. The openssh-blacklist was a balance between size and
default-generated keys. I'd like to add packages for -rsa1024 and
-rsa4096, etc. This could be done for openssl too, I think.
There has been some confusion (well, lack of public information) about
generating the blacklists. Since this is mostly public now with H D
Moore's site[1], the random number streams were affected by three
things:
1) process ID
2) sizeof(long)
3) endian-ness
Presently, every combination of these for default dsa1024 and rsa2048
went into openssh-blacklist. openssl-blacklist contains one additional
case: the existence of the .rnd file, which added another binary state,
doubling the size of those blacklists.
Then finally we could have a -all that installed all of them if someone
wanted it.
openvpn also needs blacklists, since it is another unique key generation
package. There may be others beyond that. Jamie Strandboge (Cc'd)
has been researching the blacklists (and built the ssl and openvpn
blacklists in Ubuntu).
-Kees
[1] http://metasploit.com/users/hdm/tools/debian-openssl/
--
Kees Cook @outflux.net
Reply to: