Bug#490185: closed by Colin Watson [EMAIL PROTECTED] (Re: Bug#490185: openssh-client: openssh-vulnkey does not find compromised keys with 4096 bit keys)
Colin Watson schrieb: On Thu, Jul 10, 2008 at 07:17:25PM +0200, Christoph Martin wrote: Debian Bug Tracking System schrieb: On Thu, Jul 10, 2008 at 05:28:19PM +0200, Christoph Martin wrote: The openssh client and openssh-vulnkey do not check for 4096 bit comprimised keys as the sid version does. So the user will not find these compromised keys when checking with openssh-vulnkey and the ssh server will accept connections with these keys. Please supply a package like in sid which also checks for 4096 (and other?) bit keys. Install the openssh-blacklist-extra package. I checked that. It is useful if you have the unstable/testing version of openssh-client. The stable openssh-client includes a version of ssh-vulnkey which does not use the 4096 bit blacklists. Err, are you sure? There is no hardcoding of key sizes in ssh-vulnkey; it uses whatever's available. What version of openssh-blacklist-extra did you fetch? apt-cache policy openssh-client openssh-blacklist openssh-blacklist-extra openssh-client: Installiert:1:4.3p2-9etch2 Mögliche Pakete:1:4.3p2-9etch2 Versions-Tabelle: 1:4.7p1-12 0 70 http://ftp.de.debian.org testing/main Packages 50 http://ftp.de.debian.org unstable/main Packages 70 http://yoda.verwaltung.uni-mainz.de testing/main Packages 50 http://yoda.verwaltung.uni-mainz.de unstable/main Packages *** 1:4.3p2-9etch2 0 900 http://security.debian.org stable/updates/main Packages 100 /var/lib/dpkg/status 1:4.3p2-9 0 900 http://ftp.de.debian.org stable/main Packages 900 http://yoda.verwaltung.uni-mainz.de stable/main Packages openssh-blacklist: Installiert:0.1.1 Mögliche Pakete:0.1.1 Versions-Tabelle: 0.4.1 0 70 http://ftp.de.debian.org testing/main Packages 50 http://ftp.de.debian.org unstable/main Packages 70 http://yoda.verwaltung.uni-mainz.de testing/main Packages 50 http://yoda.verwaltung.uni-mainz.de unstable/main Packages *** 0.1.1 0 900 http://security.debian.org stable/updates/main Packages 100 /var/lib/dpkg/status openssh-blacklist-extra: Installiert:0.4.1 Mögliche Pakete:0.4.1 Versions-Tabelle: *** 0.4.1 0 70 http://ftp.de.debian.org testing/main Packages 50 http://ftp.de.debian.org unstable/main Packages 70 http://yoda.verwaltung.uni-mainz.de testing/main Packages 50 http://yoda.verwaltung.uni-mainz.de unstable/main Packages 100 /var/lib/dpkg/status ssh-vulnkey from stable/security does not search in /usr/share/ssh/blacklist where openssh-blacklist-extra places the lists. There is no stable/security version of openssh-blacklist-extra Christoph -- Christoph Martin, Leiter der EDV der Verwaltung, Uni-Mainz, Germany Internet-Mail: [EMAIL PROTECTED] Telefon: +49-6131-3926337 Fax: +49-6131-3922856 signature.asc Description: OpenPGP digital signature
Bug#490185: closed by Colin Watson [EMAIL PROTECTED] (Re: Bug#490185: openssh-client: openssh-vulnkey does not find compromised keys with 4096 bit keys)
reopen 490185 reassign 490185 openssh-blacklist severity 490185 important retitle 490185 openssh-blacklist: please backport -extra for stable users thanks On Fri, Jul 11, 2008 at 10:02:16AM +0200, Christoph Martin wrote: Colin Watson schrieb: On Thu, Jul 10, 2008 at 07:17:25PM +0200, Christoph Martin wrote: I checked that. It is useful if you have the unstable/testing version of openssh-client. The stable openssh-client includes a version of ssh-vulnkey which does not use the 4096 bit blacklists. Err, are you sure? There is no hardcoding of key sizes in ssh-vulnkey; it uses whatever's available. What version of openssh-blacklist-extra did you fetch? [...] openssh-blacklist-extra: Installiert:0.4.1 Mögliche Pakete:0.4.1 Versions-Tabelle: *** 0.4.1 0 70 http://ftp.de.debian.org testing/main Packages 50 http://ftp.de.debian.org unstable/main Packages 70 http://yoda.verwaltung.uni-mainz.de testing/main Packages 50 http://yoda.verwaltung.uni-mainz.de unstable/main Packages 100 /var/lib/dpkg/status ssh-vulnkey from stable/security does not search in /usr/share/ssh/blacklist where openssh-blacklist-extra places the lists. Right, the testing/unstable version won't work; one targeted at stable would have to put them in /etc/ssh. There is no stable/security version of openssh-blacklist-extra Ah, well, that's not an openssh bug. Kees, can we get openssh-blacklist-extra into stable-security, please? -- Colin Watson [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#490185: closed by Colin Watson [EMAIL PROTECTED] (Re: Bug#490185: openssh-client: openssh-vulnkey does not find compromised keys with 4096 bit keys)
Colin Watson schrieb: Ah, well, that's not an openssh bug. Kees, can we get openssh-blacklist-extra into stable-security, please? Is the compromised-keys blocking feature of sshd included in the stable/security version or only in unstable/testing? if the security team is not accepting openssh-blacklist-extra in stable/security I would recommend doing backports.org versions of openssh and the blacklist packages. Christoph -- Christoph Martin, Leiter der EDV der Verwaltung, Uni-Mainz, Germany Internet-Mail: [EMAIL PROTECTED] Telefon: +49-6131-3926337 Fax: +49-6131-3922856 signature.asc Description: OpenPGP digital signature
Bug#490185: closed by Colin Watson [EMAIL PROTECTED] (Re: Bug#490185: openssh-client: openssh-vulnkey does not find compromised keys with 4096 bit keys)
On Fri, Jul 11, 2008 at 12:29:51PM +0200, Christoph Martin wrote: Colin Watson schrieb: Ah, well, that's not an openssh bug. Kees, can we get openssh-blacklist-extra into stable-security, please? Is the compromised-keys blocking feature of sshd included in the stable/security version or only in unstable/testing? Both, of course, to great fanfare in security advisories. if the security team is not accepting openssh-blacklist-extra in stable/security I would recommend doing backports.org versions of openssh and the blacklist packages. I see no reason why openssh would be accepted but openssh-blacklist-extra not. After all, openssh-blacklist was new in stable/security. -- Colin Watson [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#490185: closed by Colin Watson [EMAIL PROTECTED] (Re: Bug#490185: openssh-client: openssh-vulnkey does not find compromised keys with 4096 bit keys)
Debian Bug Tracking System schrieb: On Thu, Jul 10, 2008 at 05:28:19PM +0200, Christoph Martin wrote: The openssh client and openssh-vulnkey do not check for 4096 bit comprimised keys as the sid version does. So the user will not find these compromised keys when checking with openssh-vulnkey and the ssh server will accept connections with these keys. Please supply a package like in sid which also checks for 4096 (and other?) bit keys. Install the openssh-blacklist-extra package. I checked that. It is useful if you have the unstable/testing version of openssh-client. The stable openssh-client includes a version of ssh-vulnkey which does not use the 4096 bit blacklists. Please reopen the bug -- Christoph Martin, Leiter der EDV der Verwaltung, Uni-Mainz, Germany Internet-Mail: [EMAIL PROTECTED] Telefon: +49-6131-3926337 Fax: +49-6131-3922856 signature.asc Description: OpenPGP digital signature
Bug#490185: closed by Colin Watson [EMAIL PROTECTED] (Re: Bug#490185: openssh-client: openssh-vulnkey does not find compromised keys with 4096 bit keys)
On Thu, Jul 10, 2008 at 07:17:25PM +0200, Christoph Martin wrote: Debian Bug Tracking System schrieb: On Thu, Jul 10, 2008 at 05:28:19PM +0200, Christoph Martin wrote: The openssh client and openssh-vulnkey do not check for 4096 bit comprimised keys as the sid version does. So the user will not find these compromised keys when checking with openssh-vulnkey and the ssh server will accept connections with these keys. Please supply a package like in sid which also checks for 4096 (and other?) bit keys. Install the openssh-blacklist-extra package. I checked that. It is useful if you have the unstable/testing version of openssh-client. The stable openssh-client includes a version of ssh-vulnkey which does not use the 4096 bit blacklists. Err, are you sure? There is no hardcoding of key sizes in ssh-vulnkey; it uses whatever's available. What version of openssh-blacklist-extra did you fetch? -- Colin Watson [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]