On Sun, Aug 24, 2008 at 09:39:15AM -0600, Stephen John Smoogen wrote:
2008/8/24 Axel Thimm <Axel.Thimm(a)atrpms.net>:
>> On Sat, Aug 23, 2008 at 04:37:13PM -0500, Jeffrey Ollie wrote:
>> > The primary reason is that it's nearly impossible to tell if the key
>> > was generated on a Debian system with the compromised OpenSSL
>> > versions.
>
> OK, I checked and it is far from impossible. After all the bug was
> that there are only 32k possible keys per arch/size/type - Debian has
> even issued blacklists for all keys of typical und some untypical
> sizes like 1024/2048/1023/2047/4096/8192 and for some sizes they even
> packaged it up, see
>
>
http://packages.debian.org/unstable/main/openssh-blacklist
>
http://packages.debian.org/unstable/main/openssh-blacklist-extra
>
> If there is paranoia floating around, then why not use that blacklist
> in Fedora/RHEL as well instead of nuking all DSA keys and still
> allowing the bad RSA keys?
All RSA keys were nuked too.
Please read up the complete thread (and maybe the subject line as well
:) - with nuking of ssh keys I'm not referring to the internally used
ssh keys, which were all replaced, but the nuking of all user DSA keys
for using in FAS/cvs.
s/nuked/banned/g for a better phrasing - sorry, me no naitif ingisch
spieka.
--
Axel.Thimm at
ATrpms.net