Re: ssh-vulnkey and authorized_keys

To: jimm@simutronics.com
Cc: debian-security@lists.debian.org
Subject: Re: ssh-vulnkey and authorized_keys
From: Florian Weimer <fw@deneb.enyo.de>
Date: Mon, 19 May 2008 18:24:05 +0200
Message-id: <[🔎] 873aoexnx6.fsf@mid.deneb.enyo.de>
In-reply-to: <[🔎] 4831A716.1080403@simutronics.com> (James Miller's message of "Mon, 19 May 2008 11:13:10 -0500")
References: <[🔎] 200805150952.10853.vladislav.kurz@webstep.net> <[🔎] 20080515222550.GE19648@samad.com.au> <[🔎] 0BE0C8B2-23FC-4CE2-A5C0-AE460428CAB9@salk.edu> <[🔎] 20080516032324.GA2621@samad.com.au> <[🔎] 4831A716.1080403@simutronics.com>

* James Miller:

>From what I understand ssh-vulnkey only check to see if a key is listed
>in the blacklist (already compromised).  Is there any way to
>empirically test whether a key is vulnerable or not?

All vulnerable keys should be contained in the blacklist.  In other
words, the blacklist should be complete.  There is no known way to test
for a weak key, except for looking it up in a pre-generated blacklist.

Reply to:

References:
- ssh-vulnkey and authorized_keys
  - From: Vladislav Kurz <vladislav.kurz@webstep.net>
- Re: ssh-vulnkey and authorized_keys
  - From: Alex Samad <alex@samad.com.au>
- Re: ssh-vulnkey and authorized_keys
  - From: Chris Adams <cadams@salk.edu>
- Re: ssh-vulnkey and authorized_keys
  - From: Alex Samad <alex@samad.com.au>
- Re: ssh-vulnkey and authorized_keys
  - From: James Miller <jimm@simutronics.com>

Prev by Date: Re: ssh-vulnkey and authorized_keys
Next by Date: Re: openssl-blacklist & two keys per one pid
Previous by thread: Re: ssh-vulnkey and authorized_keys
Next by thread: DSA-1571 and GSSAPI
Index(es):
- Date
- Thread