https://bugzilla.novell.com/show_bug.cgi?id=393186
User meissner@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=393186#c18
--- Comment #18 from Marcus Meissner
Hi,
Are any other distros, besides Debian, Ubuntu, and derived ones, going to implement key blacklisting in OpenSSH - or are considering it?
We are considering it for Openwall GNU/*/Linux, and if our effort would be reused by others, or if others join us in developing and/or testing the patch, this would be a reason for us to go for it.
I don't think we'll take the Debian/Ubuntu patch as-is. Rather, we are likely to use a trivial binary encoding/compression method for the partial fingerprints. We'd also use smaller partial fingerprints. With the approach I have in mind, it'd take around 4.55 bytes per key to store 48-bit partial fingerprints, bringing the installed file size for 3 arch types and 2 key types/sizes in under 1 MB (or just over 1 MB for 3 key types/sizes).
If this is going to be accepted as a more general solution, it'd be good to allow also for local, admin-maintened, blacklists, not just upstream maintened (and automatically updated). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.