Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20120420131643.GA26757@openwall.com>
Date: Fri, 20 Apr 2012 17:16:43 +0400
From: Solar Designer <solar@...nwall.com>
To: owl-dev@...ts.openwall.com
Subject: Re: owl and openssh

On Thu, Apr 19, 2012 at 07:05:55AM +0200, Pawe?? Hajdan, Jr. wrote:
> Isn't upstream interested in those owl patches? Have they been submitted
> and rejected?

I discussed the key blacklisting stuff with upstream while we were still
designing it (we'd consider their preferences if any).  They did not
want it.  Yet we wanted to have it, and we actually caught some weak
keys (from Debian systems) in the wild shortly after we deployed those
updated packages on clients' Owl-based systems that we manage (and where
their other contractors, etc. have accounts).  So those would be real
vulnerabilities in real systems if we did not include that code.

It is understandable that OpenBSD did not want to complicate their code
because of another project's fault, and OpenSSH portable did not want to
differ in this respect this time.  They would potentially include
generic user-configurable blacklisting, but implementation and user
interface wise it would need to be substantially different from the
efficient mass blacklisting of a fixed set of keys that we needed for
dealing with the Debian incident.

In general, OpenSSH patches that we have were considered for upstream
relevance.  Some were submitted, a subset of those were merged.

I started typing specific info here, but the list was quickly getting
long, so I felt that it's not productive use of my time.  Perhaps you
did not mean to spend much of my time on an elaborate answer with your
quick question.

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.