https://bugzilla.novell.com/show_bug.cgi?id=393186
User meissner@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=393186#c33
--- Comment #33 from Marcus Meissner
Do you have a patch to propose, implementing your idea?
Dmitry V. Levin and I have completed design of the encoding scheme, and Dmitry implemented it. Now we have: blacklist-encode.c - the encoder program; blacklist-check.c - the "checker" program, used for testing only; openssh-3.6.1p2-owl-blacklist.diff - the patch to sshd. The patch is against an older version that we still have in Owl (with lots of other patches), but it is trivial to forward-port. In fact, I expect that Dmitry will port it to the newer version in ALT Linux's distributions very soon (if not already). Dmitry - please announce your forward-port in here when you have it. Dmitry has done fairly extensive testing, but we would not mind others in the community doing more tests and reporting back in here. We also have openssh-blacklist-0.3-1.bin.bz2, which is used as a "source" in our OpenSSH package. It was generated from ftp://ftp.debian.org/debian/pool/main/o/openssh-blacklist/openssh-blacklist_0.3.tar.gz with: cat [DR]SA-{1024,2048}.[bl]e{32,64} | ./blacklist-encode 6 > openssh-blacklist-0.3-1.bin bzip2 !$ That is, it contains 48-bit partial fingerprints for 1024-bit and 2048-bit RSA and 1024-bit DSA keys for PID range 1 to 32767 (a total of almost 300k keys). The installed file size is just 1.3 MB, which corresponds to less than 4.5 bytes per fingerprint, and the .bz2 (and rpm) is just 1.2 MB. Lookups are very quick, and only three small portions of the file are read per lookup, for a total of under 100 bytes of data to read (as far as sshd is concerned). Neither the code nor the file format is specific to 48-bit partial fingerprints; it is possible to use larger ones by supplying something other than "6" (the size in bytes) on blacklist-encode's command-line. There is a safety check against even smaller values in blacklist-encode.c's main(), although if you really know what you're doing, you can go for 40-bit as well, bringing file size for the same keys to under 1 MB. Our latest source code may be found here: http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/openssh/ (along with lots of other patches to OpenSSH). The pre-encoded blacklist file may be found here: ftp://ftp.ru.openwall.com/pub/Owl/pool/sources/openssh/ (and on other mirrors). I've attached current revisions of the source files and patch mentioned above. This is to encourage community review and comments, and to enable easy quoting of relevant context (please do not overquote). Please note that this effort was/is supported by CivicActions. It will enable us to receive funding for and get involved in more community activities in the future if you give due credit to both Openwall and CivicActions (especially with website links) when you reuse this stuff. Thanks in advance for any feedback. Alexander -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.