CentOS - May 2008 - Re: [CentOS-announce] Impact of the Debian OpenSSL vulnerability

[please CC me on replies]

On Thu, May 15, 2008 at 08:08:39PM +0200, Daniel de Kok
wrote:
> Questions on how this may affect CentOS users should be directed to
> the CentOS users list. List subscription information is available
> from:
In addition to the fixed OpenSSL packages, Debian also released an update to
OpenSSH that includes a blacklist of the weak keys. With this update, any
connections attempting to authenticate with a weak key are rejected. There's
also a utility which searches through user ~/.ssh directories for
blacklisted keys.

This blacklist would help in securing non-Debian systems as well. Are there
any plans to include this ssh update in CentOS? 

-- 
Chris Butler
Zedcore Systems Ltd
UK tel: 0114 238 1828 

We have moved to: Lydgate House, Lydgate Lane, Sheffield S10 5FH

Chris Butler wrote:
> In addition to the fixed OpenSSL packages, Debian also released an update
to
> OpenSSH that includes a blacklist of the weak keys. With this update, any
> connections attempting to authenticate with a weak key are rejected.
There's
> also a utility which searches through user ~/.ssh directories for
> blacklisted keys.
> 
> This blacklist would help in securing non-Debian systems as well. Are there
> any plans to include this ssh update in CentOS? 
Dag pointed out that Suse is also considering setting up a blacklist of
this nature. I dont mind looking at something like this within CentOS if
someone wants to make a case for it. Would it be better to just have
some tool ( Daniel already brought that up! ) that could audit setups
instead of running such a blacklist ?

Imho, the CentOS team would be open at looking at anything that helps
improve security for the users. And lets also keep an eye on what comes
down from upstream. But till such time as there is an upstream release
to address this issue ( if at all ) nothing stops us from providing the
resources required.

-- 
Karanbir Singh : http://www.karan.org/ : 2522219 at icq