On Sun, Jun 01, 2008 at 09:15:19AM +0200, Peter Palfrader wrote: > On Sat, 31 May 2008, Steve Langasek wrote: > > > > People submitting known bad keys to ldap and stuffing those in their > > > authorized_keys files also. What else did you think it meant? > > > > I have no idea, because I don't understand why the above would warrant a > > policy change wrt authorized_keys. Surely, known bad keys could already be > > dealt with using the blacklist support that was published as part of the > > DSA, so why would we need to disable authorized_keys altogether when there's > > support for handling this in the server itself? > > Those blacklists are hardly exhaustive. Hardly anybody seems to get > that their old DSS keys, if ever used once on a broken libssl are now > all bad. > > Also note that until recently we didn't run debian's sshd at all, so > blacklist support is not something we could rely on.
While this is initially for our (DSA's) benefit, in that it makes applying global changes easier, it's also for user's benefit. -- compare the effort required to ensure that there are no copies of a key (that was on a stolen laptop, say), on every debian host you _might_ have copied it to, to the effort of sending a single mail and knowing you're done. If there's some reason that you want specific keys to only give access to specific hosts, and if the reason justifies the effort, I suppose it would be possible to come up with a way of tagging which hosts any particular key should give access to in LDAP -- is that why you're worried about the loss of this feature? In short, having had our hand forced into turning authorized_keys off, we find that that is a better state to be in, so we're leaving it that way. (in fact disabling authorized_keys had been suggested before but we had no compelling reason to do it, if we had done so the post-SSL cleanup would have been significantly less effort). Cheers, Phil. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
