Karanbir Singh wrote: > Dag pointed out that Suse is also considering setting up a blacklist of > this nature. I dont mind looking at something like this within CentOS if > someone wants to make a case for it. Would it be better to just have > some tool ( Daniel already brought that up! ) that could audit setups > instead of running such a blacklist ? The problem is that the tools I know only look for broken ssh keys (dowkd.pl, ssh-vulnkey) and none of them address other problematic areas like certificates, dnssec-keys (although Lutz Donnerhacke mailed all people running zones with broken keys) and so on. If you take a look at <http://debian.wideopenssl.org/> there are so many applications which might have broken keys even on non-Debian systems that I think offering a tool for just ssh keys might give people a wrong sense of security, if they don't find broken ssh keys on their machines. Ralph -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: <http://lists.centos.org/pipermail/centos/attachments/20080517/fb07e02c/attachment-0005.sig>