On Fri, May 16, 2008 at 11:16:32AM +0100, Colin Watson wrote: > On Fri, May 16, 2008 at 11:59:44AM +0200, Raphael Hertzog wrote: > > On Thu, 15 May 2008, Jon Dowland wrote: > > > there's a tarball of 32bit/le rsa 4096 key pairs at > > > <http://metasploit.com/users/hdm/tools/debian-openssl/>. > > > > > > I'm trying to build a blacklist for these keys*. It would be > > > nice if one was included in the package. > > > > Until those lists are complete (ie for 32 and 64 bits, and > > big/low endian), I don't think they should be integrated > > as the ssh-vulnkey tool will report "Not blacklisted" for keys which are > > potentially compromised because they have been generated on amd64 for > > example... > > > > Lucas has access to GRID-5000 and could generate the keys if someone > > provides him the required information to do the task given that the > > nodes are amd64 (but he uses them as i386 by default with linux32 IIRC). > > > > But he will only have access to GRID-5000 when he comes back from his trip > > to fosscamp (on sunday). Also ccing vincent danjean who also has access to > > grid 5000. > > It shouldn't take that long to generate them using the same code Kees > used to generate the blacklist to start with. Kees, could you take care > of that? > > (I'd *really* rather not use blacklists downloaded from metasploit; > forgive my paranoia. :-) )
Certainly. In the interests of keeping the default-key blacklist package small, how about calling the new lists -rsa512 and -rsa4096, etc? -- Kees Cook -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]