Hello.
In my opinion, there should be two separate blacklists:
- One is distribution-provided, which lists worldwide-known-weak or
otherwise unusable keys (as in the current case).
That file could go into /usr/share/, and would not supposed to be
modified by administrator.
- Another blacklist could be in /etc/, empty by default, and
specifically designated for adding locally-blacklisted keys (i.e. by
administrator of that particular machine).
The major benefit in such scheme, is that the admin wouldn't have to
edit huge Debian-provided blacklists in order to add a key or two (and
re-sort them, as these blacklists must be sorted currently, according to
'man ssh-vulnkey'), s/he could simply add that line in a small local
blacklist. As a consequence, there would be no need to deal with dpkg
prompts about "Install newer version of this config file?" each time
when Debian-provided blacklist updates for some reason - and no need to
scrutinize the huge diffs to find out what the distribution's changes
are, and how to not lose the locally-made ones.
With respect,
Roman.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]