subject:"Bug#490185\: closed by Colin Watson \[EMAIL PROTECTED\] \(Re\: Bug#490185\: openssh\-client\: openssh\-vulnkey does not find compromised keys with 4096 bit keys\)"

Bug#490185: closed by Colin Watson [EMAIL PROTECTED] (Re: Bug#490185: openssh-client: openssh-vulnkey does not find compromised keys with 4096 bit keys)

2008-07-11 Thread Christoph Martin



Colin Watson schrieb:
 On Thu, Jul 10, 2008 at 07:17:25PM +0200, Christoph Martin wrote:
 Debian Bug Tracking System schrieb:
 On Thu, Jul 10, 2008 at 05:28:19PM +0200, Christoph Martin wrote:
 The openssh client and openssh-vulnkey do not check for 4096 bit
 comprimised keys as the sid version does. So the user will not find
 these compromised keys when checking with openssh-vulnkey and the ssh
 server will accept connections with these keys.

 Please supply a package like in sid which also checks for 4096 (and
 other?) bit keys.
 Install the openssh-blacklist-extra package.
 I checked that. It is useful if you have the unstable/testing version of
 openssh-client. The stable openssh-client includes a version of
 ssh-vulnkey which does not use the 4096 bit blacklists.
 
 Err, are you sure? There is no hardcoding of key sizes in ssh-vulnkey;
 it uses whatever's available.
 
 What version of openssh-blacklist-extra did you fetch?
 

  apt-cache policy openssh-client openssh-blacklist openssh-blacklist-extra
openssh-client:
  Installiert:1:4.3p2-9etch2
  Mögliche Pakete:1:4.3p2-9etch2
  Versions-Tabelle:
 1:4.7p1-12 0
 70 http://ftp.de.debian.org testing/main Packages
 50 http://ftp.de.debian.org unstable/main Packages
 70 http://yoda.verwaltung.uni-mainz.de testing/main Packages
 50 http://yoda.verwaltung.uni-mainz.de unstable/main Packages
 *** 1:4.3p2-9etch2 0
900 http://security.debian.org stable/updates/main Packages
100 /var/lib/dpkg/status
 1:4.3p2-9 0
900 http://ftp.de.debian.org stable/main Packages
900 http://yoda.verwaltung.uni-mainz.de stable/main Packages
openssh-blacklist:
  Installiert:0.1.1
  Mögliche Pakete:0.1.1
  Versions-Tabelle:
 0.4.1 0
 70 http://ftp.de.debian.org testing/main Packages
 50 http://ftp.de.debian.org unstable/main Packages
 70 http://yoda.verwaltung.uni-mainz.de testing/main Packages
 50 http://yoda.verwaltung.uni-mainz.de unstable/main Packages
 *** 0.1.1 0
900 http://security.debian.org stable/updates/main Packages
100 /var/lib/dpkg/status
openssh-blacklist-extra:
  Installiert:0.4.1
  Mögliche Pakete:0.4.1
  Versions-Tabelle:
 *** 0.4.1 0
 70 http://ftp.de.debian.org testing/main Packages
 50 http://ftp.de.debian.org unstable/main Packages
 70 http://yoda.verwaltung.uni-mainz.de testing/main Packages
 50 http://yoda.verwaltung.uni-mainz.de unstable/main Packages
100 /var/lib/dpkg/status

ssh-vulnkey from stable/security does not search in
/usr/share/ssh/blacklist where openssh-blacklist-extra places the lists.
There is no stable/security version of openssh-blacklist-extra

Christoph

-- 

Christoph Martin, Leiter der EDV der Verwaltung, Uni-Mainz, Germany
 Internet-Mail:  [EMAIL PROTECTED]
  Telefon: +49-6131-3926337
  Fax: +49-6131-3922856



signature.asc
Description: OpenPGP digital signature

Bug#490185: closed by Colin Watson [EMAIL PROTECTED] (Re: Bug#490185: openssh-client: openssh-vulnkey does not find compromised keys with 4096 bit keys)

2008-07-11 Thread Colin Watson

reopen 490185
reassign 490185 openssh-blacklist
severity 490185 important
retitle 490185 openssh-blacklist: please backport -extra for stable users
thanks

On Fri, Jul 11, 2008 at 10:02:16AM +0200, Christoph Martin wrote:
 Colin Watson schrieb:
  On Thu, Jul 10, 2008 at 07:17:25PM +0200, Christoph Martin wrote:
  I checked that. It is useful if you have the unstable/testing version of
  openssh-client. The stable openssh-client includes a version of
  ssh-vulnkey which does not use the 4096 bit blacklists.
  
  Err, are you sure? There is no hardcoding of key sizes in ssh-vulnkey;
  it uses whatever's available.
  
  What version of openssh-blacklist-extra did you fetch?
[...]
 openssh-blacklist-extra:
   Installiert:0.4.1
   Mögliche Pakete:0.4.1
   Versions-Tabelle:
  *** 0.4.1 0
  70 http://ftp.de.debian.org testing/main Packages
  50 http://ftp.de.debian.org unstable/main Packages
  70 http://yoda.verwaltung.uni-mainz.de testing/main Packages
  50 http://yoda.verwaltung.uni-mainz.de unstable/main Packages
 100 /var/lib/dpkg/status
 
 ssh-vulnkey from stable/security does not search in
 /usr/share/ssh/blacklist where openssh-blacklist-extra places the lists.

Right, the testing/unstable version won't work; one targeted at stable
would have to put them in /etc/ssh.

 There is no stable/security version of openssh-blacklist-extra

Ah, well, that's not an openssh bug. Kees, can we get
openssh-blacklist-extra into stable-security, please?

-- 
Colin Watson   [EMAIL PROTECTED]



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#490185: closed by Colin Watson [EMAIL PROTECTED] (Re: Bug#490185: openssh-client: openssh-vulnkey does not find compromised keys with 4096 bit keys)

2008-07-11 Thread Christoph Martin



Colin Watson schrieb:

 
 Ah, well, that's not an openssh bug. Kees, can we get
 openssh-blacklist-extra into stable-security, please?
 

Is the compromised-keys blocking feature of sshd included in the
stable/security version or only in unstable/testing?

if the security team is not accepting openssh-blacklist-extra in
stable/security I would recommend doing backports.org versions of
openssh and the blacklist packages.

Christoph

-- 

Christoph Martin, Leiter der EDV der Verwaltung, Uni-Mainz, Germany
 Internet-Mail:  [EMAIL PROTECTED]
  Telefon: +49-6131-3926337
  Fax: +49-6131-3922856



signature.asc
Description: OpenPGP digital signature

Bug#490185: closed by Colin Watson [EMAIL PROTECTED] (Re: Bug#490185: openssh-client: openssh-vulnkey does not find compromised keys with 4096 bit keys)

2008-07-11 Thread Colin Watson

On Fri, Jul 11, 2008 at 12:29:51PM +0200, Christoph Martin wrote:
 Colin Watson schrieb:
  Ah, well, that's not an openssh bug. Kees, can we get
  openssh-blacklist-extra into stable-security, please?
 
 Is the compromised-keys blocking feature of sshd included in the
 stable/security version or only in unstable/testing?

Both, of course, to great fanfare in security advisories.

 if the security team is not accepting openssh-blacklist-extra in
 stable/security I would recommend doing backports.org versions of
 openssh and the blacklist packages.

I see no reason why openssh would be accepted but
openssh-blacklist-extra not. After all, openssh-blacklist was new in
stable/security.

-- 
Colin Watson   [EMAIL PROTECTED]



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#490185: closed by Colin Watson [EMAIL PROTECTED] (Re: Bug#490185: openssh-client: openssh-vulnkey does not find compromised keys with 4096 bit keys)

2008-07-10 Thread Christoph Martin



Debian Bug Tracking System schrieb:

 On Thu, Jul 10, 2008 at 05:28:19PM +0200, Christoph Martin wrote:
 The openssh client and openssh-vulnkey do not check for 4096 bit
 comprimised keys as the sid version does. So the user will not find
 these compromised keys when checking with openssh-vulnkey and the ssh
 server will accept connections with these keys.

 Please supply a package like in sid which also checks for 4096 (and
 other?) bit keys.
 
 Install the openssh-blacklist-extra package.

I checked that. It is useful if you have the unstable/testing version of
openssh-client. The stable openssh-client includes a version of
ssh-vulnkey which does not use the 4096 bit blacklists.

Please reopen the bug

-- 

Christoph Martin, Leiter der EDV der Verwaltung, Uni-Mainz, Germany
 Internet-Mail:  [EMAIL PROTECTED]
  Telefon: +49-6131-3926337
  Fax: +49-6131-3922856



signature.asc
Description: OpenPGP digital signature

Bug#490185: closed by Colin Watson [EMAIL PROTECTED] (Re: Bug#490185: openssh-client: openssh-vulnkey does not find compromised keys with 4096 bit keys)

2008-07-10 Thread Colin Watson

On Thu, Jul 10, 2008 at 07:17:25PM +0200, Christoph Martin wrote:
 Debian Bug Tracking System schrieb:
  On Thu, Jul 10, 2008 at 05:28:19PM +0200, Christoph Martin wrote:
  The openssh client and openssh-vulnkey do not check for 4096 bit
  comprimised keys as the sid version does. So the user will not find
  these compromised keys when checking with openssh-vulnkey and the ssh
  server will accept connections with these keys.
 
  Please supply a package like in sid which also checks for 4096 (and
  other?) bit keys.
  
  Install the openssh-blacklist-extra package.
 
 I checked that. It is useful if you have the unstable/testing version of
 openssh-client. The stable openssh-client includes a version of
 ssh-vulnkey which does not use the 4096 bit blacklists.

Err, are you sure? There is no hardcoding of key sizes in ssh-vulnkey;
it uses whatever's available.

What version of openssh-blacklist-extra did you fetch?

-- 
Colin Watson   [EMAIL PROTECTED]



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#490185: closed by Colin Watson [EMAIL PROTECTED] (Re: Bug#490185: openssh-client: openssh-vulnkey does not find compromised keys with 4096 bit keys)

Bug#490185: closed by Colin Watson [EMAIL PROTECTED] (Re: Bug#490185: openssh-client: openssh-vulnkey does not find compromised keys with 4096 bit keys)

Bug#490185: closed by Colin Watson [EMAIL PROTECTED] (Re: Bug#490185: openssh-client: openssh-vulnkey does not find compromised keys with 4096 bit keys)

Bug#490185: closed by Colin Watson [EMAIL PROTECTED] (Re: Bug#490185: openssh-client: openssh-vulnkey does not find compromised keys with 4096 bit keys)

Bug#490185: closed by Colin Watson [EMAIL PROTECTED] (Re: Bug#490185: openssh-client: openssh-vulnkey does not find compromised keys with 4096 bit keys)

Bug#490185: closed by Colin Watson [EMAIL PROTECTED] (Re: Bug#490185: openssh-client: openssh-vulnkey does not find compromised keys with 4096 bit keys)

6 matches

Site Navigation

Mail list logo

Footer information