Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  news  community  lists  wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list] 
Date: Fri, 16 May 2008 18:24:51 +0100
From: "Craig Edwards (Brain)" <brain@...tspike.net>
To: oss-security@...ts.openwall.com
Subject: Re: OpenSSH key blacklisting

Hi,

I havent been following this debacle too closely as i dont have much to 
do with debian, however, wouldnt such a system be vulnerable to false 
positives if you are just going to hash partial fingerprints rather than 
whole fingerprints?

-- Brain

Solar Designer wrote:
> Hi,
>
> Are any other distros, besides Debian, Ubuntu, and derived ones, going
> to implement key blacklisting in OpenSSH - or are considering it?
>
> We are considering it for Openwall GNU/*/Linux, and if our effort would
> be reused by others, or if others join us in developing and/or testing
> the patch, this would be a reason for us to go for it.
>
> I don't think we'll take the Debian/Ubuntu patch as-is.  Rather, we are
> likely to use a trivial binary encoding/compression method for the
> partial fingerprints.  We'd also use smaller partial fingerprints.  With
> the approach I have in mind, it'd take around 4.55 bytes per key to
> store 48-bit partial fingerprints, bringing the installed file size for
> 3 arch types and 2 key types/sizes in under 1 MB (or just over 1 MB for
> 3 key types/sizes).
>
> Please comment.
>
> Thanks,
>
> Alexander
>

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux