On Sat, 31 May 2008, Steve Langasek wrote: > > People submitting known bad keys to ldap and stuffing those in their > > authorized_keys files also. What else did you think it meant? > > I have no idea, because I don't understand why the above would warrant a > policy change wrt authorized_keys. Surely, known bad keys could already be > dealt with using the blacklist support that was published as part of the > DSA, so why would we need to disable authorized_keys altogether when there's > support for handling this in the server itself?
Those blacklists are hardly exhaustive. Hardly anybody seems to get that their old DSS keys, if ever used once on a broken libssl are now all bad. Also note that until recently we didn't run debian's sshd at all, so blacklist support is not something we could rely on. -- weasel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
