Karanbir Singh wrote:
Dag pointed out that Suse is also considering setting up a blacklist of this nature. I dont mind looking at something like this within CentOS if someone wants to make a case for it. Would it be better to just have some tool ( Daniel already brought that up! ) that could audit setups instead of running such a blacklist ?
The problem is that the tools I know only look for broken ssh keys (dowkd.pl, ssh-vulnkey) and none of them address other problematic areas like certificates, dnssec-keys (although Lutz Donnerhacke mailed all people running zones with broken keys) and so on.
If you take a look at http://debian.wideopenssl.org/ there are so many applications which might have broken keys even on non-Debian systems that I think offering a tool for just ssh keys might give people a wrong sense of security, if they don't find broken ssh keys on their machines.
Ralph