On Sat, May 17, 2008 at 12:25 PM, Ralph Angenendt <ra+centos at br-online.de> wrote: > If you take a look at <http://debian.wideopenssl.org/> there are so many > applications which might have broken keys even on non-Debian systems > that I think offering a tool for just ssh keys might give people a wrong > sense of security, if they don't find broken ssh keys on their machines. People often mistake tools for facts. Just like rootkit detection utilities, people should realize that key detection is just a tool to assist with finding obvious compromises. I think it is ok, to provide one of these detection tools through the -extras repository, as long as it is made clear in the documentation what it detects, what it does not detect, and whether there is a chance of having false-positives. Wrt. fingerprint-based blocking in OpenSSH: - What does our upstream think about this? - What do the OpenSSH developers think about this? I think a general scheme for blocking certain public keys might be useful, even outside this specific case. But I am not sure it is a good idea to make/use vendor-specific extensions. Take care, Daniel