openssh-blacklist - careless waste of space.

[Gregory Maxwell]

On Fri, Jul 31, 2009 at 11:31 AM, Steve Grubb<sgrubb at redhat.com> wrote:
> On Friday 31 July 2009 04:42:12 am Frank Murphy wrote:
>> I think what is meant, it that the app is useless, without either
>> web\media input. Which the user should not have to do to take full
>> advantage of it.
>
> I think this is a bit like virus definitions.

It's more akin to a bad password list.

> 800Mb is excessive to ship in a
> package. I think the definitions could be created by a script, but will take
> some time to generate. Maybe adding a generator for people not connected would
> let them recreate the content?
>
> But a 800Mb package is bigger than the livecd.


What?!

Openssh-blacklist is a list of bad keys that could have been generated
by the debian lack of entropy bug.

In it should be a couple of text files: A DSA key file, and an RSA key
file for each of a couple common key sizes.  Each file should have
100k lines or so with just a fingerprint on them.. all in all it
should just be a couple of mbytes.

It looks like that distribution also includes the full public and
private keyparts for the bad keys in addition to the fingerprints.
That isn't needed for bad key screening— that additional info is only
really needed by attackers.

After the vulnerability I screened the accounts on my systems and
found a couple of these bad keys just from giving my ubuntu/debian
running friends access to rsync data, so this is a risk for fedora
users too.

Not only should this install without requiring a live internet
connection but these, or at least a subset with the most common key
sizes, should really be part of the default ssh install along with the
feature in SSH that causes it to refuse to use these keys.