* Jan Tomasek: > This is good argument. When I was trying to secure my systems from > weak SSH keys. I decided to use ssh-vulnkey and build blacklists by > myself from work of H D Moore. I do not trust dowkd.pl script because > it lacks info where keys were taken.
We did not want to publish this information in order to give system administrators at least a tiny bit of lead in patching and reconfiguring their systems. > It also reported 0 weak keys even if there were keys of rare length, I > presume unknown to dowkd.pl. I agree that there is need to have tool > which everyone can easy verify. Yes, this was a serious issue in the user interface, but it has been fixed in the meantime. > If Debian or Ubuntu Security teams are interested I can share private > keys with them, but publishing them on web really isn't good idea. For me, dowkd-compatible fingerprints are enough in most cases. Only if there is a discrepancy (perhaps due to a random bit flip), we might need the keys for comparison. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
