Ahh the irony, apparently Debian has implement just such a feature, but as patch to ssh within their distro:
http://www.mail-archive.com/[EMAIL PROTECTED]/msg214853.html On Thu, May 22, 2008 at 11:19:05AM -0700, Abe Singer wrote: > > On Wed, May 14, 2008 at 07:52:58PM -0400, Steven M. Bellovin wrote: > > > > Given the published list of bad ssh keys due to the Debian mistake (see > > http://metasploit.com/users/hdm/tools/debian-openssl/), should sshd be > > updated to contain a blacklist of those keys? I suspect that a Bloom > > filter would be quite compact and efficient. > > As someone who is dealing with this operationally, we (SDSC) had already > identified what Steve suggests as the desireable long-term solution. > I would reword the requirement slightly to say that the capability of > sshd should be to block use of any key specified by the adminstrator, > not necessarily just the published blacklist. I think that's what Steve > may have actually meant, but clarity is helpful. > > --------------------------------------------------------------------- > The Cryptography Mailing List > Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED] --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]