openssh lockup after blacklist hits

I got connections from an unknown IP to openssh today. openssh logged: Public key ... blacklisted (see ssh-vulnkey(1)) 19 times, each time with a different key and then ssh would not respond any more and connections to it froze like so: $ ssh [EMAIL PROTECTED] -v OpenSSH_4.3p2 Debian-9etch1, Ope

Re: realpath in PS1 bash

* Bernd Eckenfels: > And it is still traversing lots of inodes. It's pretty much likely that those paths are in the dcache anyway, so there's no need to fall back on inodes. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: realpath in PS1 bash

In article <[EMAIL PROTECTED]> you wrote: > I'm wondering if it would be a good idea to have PS1 set to > > '${debian_chroot:+($debian_chroot)[EMAIL PROTECTED]:$(realpath "$(pwd)")\$ ' Personally I dont like having the shell spawn a executable. Since this will slow down administration on heavyly

RE: [SECURITY] [DSA 1576-2] New openssh packages fix predictable randomness

Hola: Por si les interesa, hay una alerta de seguridad en debian. Saludos Leonardo > From: [EMAIL PROTECTED] > To: [EMAIL PROTECTED] > Date: Fri, 16 May 2008 18:14:27 +0200 > Subject: [SECURITY] [DSA 1576-2] New openssh packages fix predictable >

RE: [SECURITY] [DSA 1576-1] New openssh packages fix predictable randomness

Hola: Por si les interesa, hay una alerta de seguridad en debian. Saludos Leonardo > From: [EMAIL PROTECTED] > To: [EMAIL PROTECTED] > Date: Wed, 14 May 2008 11:24:56 +0200 > Subject: [SECURITY] [DSA 1576-1] New openssh packages fix predictable >

Re: openssl-blacklist & two keys per one pid

* Jan Tomasek: > This is good argument. When I was trying to secure my systems from > weak SSH keys. I decided to use ssh-vulnkey and build blacklists by > myself from work of H D Moore. I do not trust dowkd.pl script because > it lacks info where keys were taken. We did not want to publish this

Re: openssl-blacklist & two keys per one pid

Dirk-Willem van Gulik wrote: On May 19, 2008, at 3:15 PM, Florian Weimer wrote: * Dirk-Willem van Gulik: Working with the original and some indication as to what pid, platform, keylen endianness, and .rnd, is useful - as that way it is possible to understand, reconstruct, spotcheck or verify

Re: ssh-vulnkey and authorized_keys

* James Miller: >From what I understand ssh-vulnkey only check to see if a key is listed >in the blacklist (already compromised). Is there any way to >empirically test whether a key is vulnerable or not? All vulnerable keys should be contained in the blacklist. In other words, the blacklist sho

Re: ssh-vulnkey and authorized_keys

Alex Samad wrote: On Thu, May 15, 2008 at 07:43:13PM -0400, Chris Adams wrote: On May 15, 2008, at 6:25 PM, Alex Samad wrote: is there away to check x509 certs with these tools ? Yes - the wiki has one (http://wiki.debian.org/SSLkeys) but you might prefer the openssl-blacklis

Re: dowkd.pl false positives

On May 17, 2008, at 2:23 PM, Florian Weimer wrote: Someone has added a warning to the wiki page that dowdkd.pl "produces many false positives". Even if there are bugs in the script, this is *very* unlikely. Could someone please provide such an alleged false po

Re: [SECURITY] [DSA 1571-1] New openssl packages fix predictable random number generator

On May 17, 2008, at 1:34 PM, Matteo Vescovi wrote: are there updates for this issue for old stable - sarge? It was said sarge is not affected, Bear in mind that you still want blacklist support for the various tools, not just for the known_hosts and authorized_keys; but also for people

Re: openssl-blacklist & two keys per one pid

On May 19, 2008, at 3:15 PM, Florian Weimer wrote: * Dirk-Willem van Gulik: Working with the original and some indication as to what pid, platform, keylen endianness, and .rnd, is useful - as that way it is possible to understand, reconstruct, spotcheck or verify in-situ - rather than having

Re: [SECURITY] [DSA 1571-1] New openssl packages fix predictable random number generator

Hi, you wrote: (...) >A detector for known weak key material will be published at: > > > >(OpenPGP signature) (...) Thank you for providing a perl script to check f

realpath in PS1 bash

Hi folks I didn't receive any response on debian-user, hopefully this is an appropriate place to ask. I'm wondering if it would be a good idea to have PS1 set to '${debian_chroot:+($debian_chroot)[EMAIL PROTECTED]:$(realpath "$(pwd)")\$ ' instead of the default '${debian_chroot:+($debian_chroo

Re: openssl-blacklist & two keys per one pid

* Dirk-Willem van Gulik: > Working with the original and some indication as to what pid, > platform, keylen endianness, and .rnd, is useful - as that way it is > possible to understand, reconstruct, spotcheck or verify in-situ - > rather than having to build trust without easy verify. It's also

Re: openssl-blacklist & two keys per one pid

On May 19, 2008, at 2:54 PM, Florian Weimer wrote: * Dirk-Willem van Gulik: One way to do this a bit more careful may be by comparing the actual data itself. OpenSSL will output this with the modulus flag: openssl genrsa 1024 | openssl rsa -noout -modulus Yes, that's what dowkd is

Re: openssl-blacklist & two keys per one pid

On Mon, May 19, 2008 at 02:24:01PM +0200, Jan Tomasek wrote: > What is your 3rd architecture? On Ubuntu pages I see only PC (Intel x86) > desktop CD and 64-bit PC (AMD64) desktop CD? Sparc and PowerPC are big-endian with a 32-bit userspace. These exist in Debian currently, and existed in Ubuntu

Re: openssl-blacklist & two keys per one pid

* Dirk-Willem van Gulik: > One way to do this a bit more careful may be by comparing the actual > data itself. OpenSSL will output this with the modulus flag: > > openssl genrsa 1024 | openssl rsa -noout -modulus Yes, that's what dowkd is doing (albeit with a somewhat suboptimal algorithm;

Re: openssl-blacklist & two keys per one pid

On May 19, 2008, at 2:17 PM, Florian Weimer wrote: The rule is simple. When the ~/.rnd file doesn't exist I get one key and in other situation I get another (that listed in Ubuntu openssl-blacklist) key. Because of this problem openssl-blacklist has to be twice big than openssh-blacklist. I

Re: openssl-blacklist & two keys per one pid

Kees Cook wrote: The rule is simple. When the ~/.rnd file doesn't exist I get one key and in other situation I get another (that listed in Ubuntu openssl-blacklist) key. Because of this problem openssl-blacklist has to be twice big than openssh-blacklist. I developed simple shell scripts to

Re: openssl-blacklist & two keys per one pid

* Kees Cook: >> The rule is simple. When the ~/.rnd file doesn't exist I get one key and >> in other situation I get another (that listed in Ubuntu >> openssl-blacklist) key. Because of this problem openssl-blacklist has to >> be twice big than openssh-blacklist. I developed simple shell scr