Bug#481336: openssh-blacklist: provide blacklist for RSA 4096

2008-05-18 Thread Colin Watson 
On Sun, May 18, 2008 at 02:16:31PM +0200, Vincent Danjean wrote:
> Colin Watson wrote:
> > On Fri, May 16, 2008 at 11:59:44AM +0200, Raphael Hertzog wrote:
> >> Lucas has access to GRID-5000 and could generate the keys if someone
> >> provides him the required information to do the task given that the
> >> nodes are amd64 (but he uses them as i386 by default with linux32 IIRC).
> >>
> >> But he will only have access to GRID-5000 when he comes back from his trip
> >> to fosscamp (on sunday). Also ccing vincent danjean who also has access to
> >> grid 5000.
> 
> I've access to grid5000 but I did not yet setup my account to easily deploy
> debian image as Lucas.

It's not necessary, thanks; Kees is sorting it out.

-- 
Colin Watson   [EMAIL PROTECTED]



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#481336: openssh-blacklist: provide blacklist for RSA 4096

2008-05-18 Thread Vincent Danjean 
Colin Watson wrote:
> On Fri, May 16, 2008 at 11:59:44AM +0200, Raphael Hertzog wrote:
>> Lucas has access to GRID-5000 and could generate the keys if someone
>> provides him the required information to do the task given that the
>> nodes are amd64 (but he uses them as i386 by default with linux32 IIRC).
>>
>> But he will only have access to GRID-5000 when he comes back from his trip
>> to fosscamp (on sunday). Also ccing vincent danjean who also has access to
>> grid 5000.

I've access to grid5000 but I did not yet setup my account to easily deploy
debian image as Lucas.
What I can do quickly is to run a standalone program on many nodes. If the
work require setting up chroots or other things more complex, I think it will
be quicker to wait for Lucas to come back and to use its scripts.

> It shouldn't take that long to generate them using the same code Kees
> used to generate the blacklist to start with. Kees, could you take care
> of that?

If the work is a standalone program that can be easily split (to parallelize 
it),
I can run it today on the grid. Just send me the sources and how to run it.

> (I'd *really* rather not use blacklists downloaded from metasploit;
> forgive my paranoia. :-) )

  Regards,
Vincent

-- 
Vincent Danjean   GPG key ID 0x9D025E87 [EMAIL PROTECTED]
GPG key fingerprint: FC95 08A6 854D DB48 4B9A  8A94 0BF7 7867 9D02 5E87
Unofficial pacakges: http://www-id.imag.fr/~danjean/deb.html#package
APT repo:  deb http://perso.debian.org/~vdanjean/debian unstable main




-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#481336: openssh-blacklist: provide blacklist for RSA 4096

2008-05-16 Thread Colin Watson 
On Fri, May 16, 2008 at 03:32:29AM -0700, Kees Cook wrote:
> Certainly.  In the interests of keeping the default-key blacklist
> package small, how about calling the new lists -rsa512 and -rsa4096,
> etc?

How about openssh-blacklist-extra for everything other than defaults?

-- 
Colin Watson   [EMAIL PROTECTED]



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#481336: openssh-blacklist: provide blacklist for RSA 4096

2008-05-16 Thread Kees Cook 
On Fri, May 16, 2008 at 11:16:32AM +0100, Colin Watson wrote:
> On Fri, May 16, 2008 at 11:59:44AM +0200, Raphael Hertzog wrote:
> > On Thu, 15 May 2008, Jon Dowland wrote:
> > > there's a tarball of 32bit/le rsa 4096 key pairs at
> > > .
> > > 
> > > I'm trying to build a blacklist for these keys*. It would be
> > > nice if one was included in the package.
> > 
> > Until those lists are complete (ie for 32 and 64 bits, and
> > big/low endian), I don't think they should be integrated
> > as the ssh-vulnkey tool will report "Not blacklisted" for keys which are
> > potentially compromised because they have been generated on amd64 for
> > example...
> > 
> > Lucas has access to GRID-5000 and could generate the keys if someone
> > provides him the required information to do the task given that the
> > nodes are amd64 (but he uses them as i386 by default with linux32 IIRC).
> > 
> > But he will only have access to GRID-5000 when he comes back from his trip
> > to fosscamp (on sunday). Also ccing vincent danjean who also has access to
> > grid 5000.
> 
> It shouldn't take that long to generate them using the same code Kees
> used to generate the blacklist to start with. Kees, could you take care
> of that?
> 
> (I'd *really* rather not use blacklists downloaded from metasploit;
> forgive my paranoia. :-) )

Certainly.  In the interests of keeping the default-key blacklist
package small, how about calling the new lists -rsa512 and -rsa4096,
etc?

-- 
Kees Cook



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#481336: openssh-blacklist: provide blacklist for RSA 4096

2008-05-16 Thread Raphael Hertzog 
On Thu, 15 May 2008, Jon Dowland wrote:
> there's a tarball of 32bit/le rsa 4096 key pairs at
> .
> 
> I'm trying to build a blacklist for these keys*. It would be
> nice if one was included in the package.

Until those lists are complete (ie for 32 and 64 bits, and
big/low endian), I don't think they should be integrated
as the ssh-vulnkey tool will report "Not blacklisted" for keys which are
potentially compromised because they have been generated on amd64 for
example...

Lucas has access to GRID-5000 and could generate the keys if someone
provides him the required information to do the task given that the
nodes are amd64 (but he uses them as i386 by default with linux32 IIRC).

But he will only have access to GRID-5000 when he comes back from his trip
to fosscamp (on sunday). Also ccing vincent danjean who also has access to
grid 5000.

Cheers,
-- 
Raphaël Hertzog

Le best-seller français mis à jour pour Debian Etch :
http://www.ouaza.com/livre/admin-debian/



--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#481336: openssh-blacklist: provide blacklist for RSA 4096

2008-05-16 Thread Colin Watson 
On Fri, May 16, 2008 at 11:59:44AM +0200, Raphael Hertzog wrote:
> On Thu, 15 May 2008, Jon Dowland wrote:
> > there's a tarball of 32bit/le rsa 4096 key pairs at
> > .
> > 
> > I'm trying to build a blacklist for these keys*. It would be
> > nice if one was included in the package.
> 
> Until those lists are complete (ie for 32 and 64 bits, and
> big/low endian), I don't think they should be integrated
> as the ssh-vulnkey tool will report "Not blacklisted" for keys which are
> potentially compromised because they have been generated on amd64 for
> example...
> 
> Lucas has access to GRID-5000 and could generate the keys if someone
> provides him the required information to do the task given that the
> nodes are amd64 (but he uses them as i386 by default with linux32 IIRC).
> 
> But he will only have access to GRID-5000 when he comes back from his trip
> to fosscamp (on sunday). Also ccing vincent danjean who also has access to
> grid 5000.

It shouldn't take that long to generate them using the same code Kees
used to generate the blacklist to start with. Kees, could you take care
of that?

(I'd *really* rather not use blacklists downloaded from metasploit;
forgive my paranoia. :-) )

-- 
Colin Watson   [EMAIL PROTECTED]



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#481336: openssh-blacklist: provide blacklist for RSA 4096

2008-05-15 Thread Jon Dowland 
Sorry, I didn't see the discussion along these lines in the
other bug at the time I wrote this one.

On Thu, May 15, 2008 at 12:18:52PM +0100, Jon Dowland wrote:
>  also, the ssh-vulnkey(1) manpage
> says lines must be 20 chars long and strip the first 12
> bytes, yet these blacklists are 38 chars long so
> presumably do not. ]

I neglected to notice the stuff in the rules file here.



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#481336: openssh-blacklist: provide blacklist for RSA 4096

2008-05-15 Thread Jon Dowland 
Package: openssh-blacklist
Version: 0.1.0
Severity: normal

Hi folks,

there's a tarball of 32bit/le rsa 4096 key pairs at
.

I'm trying to build a blacklist for these keys*. It would be
nice if one was included in the package.

[ * having some trouble. there are 32768 such keys, but the
existing blacklist files are 3x as large. is this for other
bit depths / endian? also, the ssh-vulnkey(1) manpage
says lines must be 20 chars long and strip the first 12
bytes, yet these blacklists are 38 chars long so
presumably do not. ]


-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.24-1-486
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

openssh-blacklist depends on no packages.

Versions of packages openssh-blacklist recommends:
ii  openssh-client1:4.7p1-9  secure shell client, an rlogin/rsh

-- no debconf information



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]