[CentOS] Re: [CentOS-announce] Impact of the Debian OpenSSL vulnerability

Sat May 17 01:03:24 UTC 2008
Karanbir Singh <mail-lists at karan.org>

Chris Butler wrote:
> In addition to the fixed OpenSSL packages, Debian also released an update to
> OpenSSH that includes a blacklist of the weak keys. With this update, any
> connections attempting to authenticate with a weak key are rejected. There's
> also a utility which searches through user ~/.ssh directories for
> blacklisted keys.
> 
> This blacklist would help in securing non-Debian systems as well. Are there
> any plans to include this ssh update in CentOS? 

Dag pointed out that Suse is also considering setting up a blacklist of
this nature. I dont mind looking at something like this within CentOS if
someone wants to make a case for it. Would it be better to just have
some tool ( Daniel already brought that up! ) that could audit setups
instead of running such a blacklist ?

Imho, the CentOS team would be open at looking at anything that helps
improve security for the users. And lets also keep an eye on what comes
down from upstream. But till such time as there is an upstream release
to address this issue ( if at all ) nothing stops us from providing the
resources required.

-- 
Karanbir Singh : http://www.karan.org/ : 2522219 at icq