Re: OpenSSH Packages No Longer Suggest openssh-blacklist

[Sven Joachim <svenjoac@gmx.de>]

On 2014-04-10 23:30 +0200, Alex Robbins wrote:

> I have been using Debian Testing (Jessie) and tried to upgrade today, and
> aptitude tried to remove openssh-blacklist and openssh-blacklist-extra
> as they
> were no longer used.  Upon further inspection, in...
>
> Debian Wheezy:
> openssh-client and openssh-server recommend openssh-blacklist and
> openssh-blacklist-extra
>
> Debian Jessie Recently (according to the packages on my system before
> the upgrade):
> openssh-client and openssh-server suggest openssh-blacklist and
> openssh-blacklist-extra
>
> Debian Jessie Currently:
> Neither openssh-client nor openssh-server depend on openssh-blacklist or
> openssh-blacklist-extra in any way
>
> I do not quite know which programs use the blacklist, but what is the
> reason for
> this change?  Shouldn't the client, the server, or both at least suggest
> openssh-blacklist?  I couldn't find anything about this in the changelogs.

It's this particular change:

,----
| openssh (1:6.5p1-1) unstable; urgency=medium
| [...]
|   * Drop ssh-vulnkey and the associated ssh/ssh-add/sshd integration code,
|     leaving only basic configuration file compatibility, since it has been
|     nearly six years since the original vulnerability and this code is not
|     likely to be of much value any more (closes: #481853, #570651).  See
|     https://lists.debian.org/debian-devel/2013/09/msg00240.html for my full
|     reasoning.
| [...]
|  -- Colin Watson <cjwatson@debian.org>  Mon, 10 Feb 2014 14:58:26 +0000
`----

The removal of ssh-vulnkey means that the blacklist isn't used anymore.

Cheers,
       Sven