[CentOS] Re: [CentOS-announce] Impact of the Debian OpenSSL vulnerability

Sat May 17 13:20:07 UTC 2008
Daniel de Kok <me at danieldk.org>

On Sat, May 17, 2008 at 12:25 PM, Ralph Angenendt
<ra+centos at br-online.de> wrote:
> If you take a look at <http://debian.wideopenssl.org/> there are so many
> applications which might have broken keys even on non-Debian systems
> that I think offering a tool for just ssh keys might give people a wrong
> sense of security, if they don't find broken ssh keys on their machines.

People often mistake tools for facts. Just like rootkit detection
utilities, people should realize that key detection is just a tool to
assist with finding obvious compromises. I think it is ok, to provide
one of these detection tools through the -extras repository, as long
as it is made clear in the documentation what it detects, what it does
not detect, and whether there is a chance of having false-positives.

Wrt. fingerprint-based blocking in OpenSSH:

- What does our upstream think about this?
- What do the OpenSSH developers think about this?

I think a general scheme for blocking certain public keys might be
useful, even outside this specific case. But I am not sure it is a
good idea to make/use vendor-specific extensions.

Take care,
Daniel