Bug#490185: closed by Colin Watson (Re: Bug#490185: openssh-client: openssh-vulnkey does not find compromised keys with 4096 bit keys)

Fri, 11 Jul 2008 01:18:24 -0700 


Colin Watson schrieb:
> On Thu, Jul 10, 2008 at 07:17:25PM +0200, Christoph Martin wrote:
>> Debian Bug Tracking System schrieb:
>>> On Thu, Jul 10, 2008 at 05:28:19PM +0200, Christoph Martin wrote:
>>>> The openssh client and openssh-vulnkey do not check for 4096 bit
>>>> comprimised keys as the sid version does. So the user will not find
>>>> these compromised keys when checking with openssh-vulnkey and the ssh
>>>> server will accept connections with these keys.
>>>>
>>>> Please supply a package like in sid which also checks for 4096 (and
>>>> other?) bit keys.
>>> Install the openssh-blacklist-extra package.
>> I checked that. It is useful if you have the unstable/testing version of
>> openssh-client. The stable openssh-client includes a version of
>> ssh-vulnkey which does not use the 4096 bit blacklists.
> 
> Err, are you sure? There is no hardcoding of key sizes in ssh-vulnkey;
> it uses whatever's available.
> 
> What version of openssh-blacklist-extra did you fetch?
> 

 > apt-cache policy openssh-client openssh-blacklist openssh-blacklist-extra
openssh-client:
  Installiert:1:4.3p2-9etch2
  Mögliche Pakete:1:4.3p2-9etch2
  Versions-Tabelle:
     1:4.7p1-12 0
         70 http://ftp.de.debian.org testing/main Packages
         50 http://ftp.de.debian.org unstable/main Packages
         70 http://yoda.verwaltung.uni-mainz.de testing/main Packages
         50 http://yoda.verwaltung.uni-mainz.de unstable/main Packages
 *** 1:4.3p2-9etch2 0
        900 http://security.debian.org stable/updates/main Packages
        100 /var/lib/dpkg/status
     1:4.3p2-9 0
        900 http://ftp.de.debian.org stable/main Packages
        900 http://yoda.verwaltung.uni-mainz.de stable/main Packages
openssh-blacklist:
  Installiert:0.1.1
  Mögliche Pakete:0.1.1
  Versions-Tabelle:
     0.4.1 0
         70 http://ftp.de.debian.org testing/main Packages
         50 http://ftp.de.debian.org unstable/main Packages
         70 http://yoda.verwaltung.uni-mainz.de testing/main Packages
         50 http://yoda.verwaltung.uni-mainz.de unstable/main Packages
 *** 0.1.1 0
        900 http://security.debian.org stable/updates/main Packages
        100 /var/lib/dpkg/status
openssh-blacklist-extra:
  Installiert:0.4.1
  Mögliche Pakete:0.4.1
  Versions-Tabelle:
 *** 0.4.1 0
         70 http://ftp.de.debian.org testing/main Packages
         50 http://ftp.de.debian.org unstable/main Packages
         70 http://yoda.verwaltung.uni-mainz.de testing/main Packages
         50 http://yoda.verwaltung.uni-mainz.de unstable/main Packages
        100 /var/lib/dpkg/status

ssh-vulnkey from stable/security does not search in
/usr/share/ssh/blacklist where openssh-blacklist-extra places the lists.
There is no stable/security version of openssh-blacklist-extra

Christoph

-- 
============================================================================
Christoph Martin, Leiter der EDV der Verwaltung, Uni-Mainz, Germany
 Internet-Mail:  [EMAIL PROTECTED]
  Telefon: +49-6131-3926337
      Fax: +49-6131-3922856

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to