Bug 447075

Summary: RFE: Add the ssh-vulnkey command to detect weak SSH keys
Product: [Fedora] Fedora Reporter: John Villalovos <jvillalo>
Component: Package ReviewAssignee: Nobody's working on this, feel free to take it <nobody>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: medium    
Version: rawhideCC: dcantrell, fedora-package-review, katzj, k.georgiou, notting, turchi
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-10-21 00:05:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description John Villalovos 2008-05-17 17:20:42 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14

Description of problem:
Due to the issue with Debian and Debian derived systems generating weak keys.  It would be useful to have the ssh-vulnkey application added from Debian.  It might also be useful to consider the blacklist code that they have to.

http://www.debian.org/security/2008/dsa-1571
http://wiki.debian.org/SSLkeys
http://metasploit.com/users/hdm/tools/debian-openssl/

Version-Release number of selected component (if applicable):


How reproducible:
Always


Steps to Reproduce:
If key created on an affected Debian system has been copied to a Fedora system you are affected.

Actual Results:


Expected Results:


Additional info:
Comment 1 Tomas Mraz 2008-05-18 19:32:05 UTC 
IMO this should be a completely separate package. I don't see any reason why to
add this kludge into the base openssh source rpm.
I'm willing to review it for you if you submit it for Fedora.
Comment 2 Bill Nottingham 2008-05-19 20:27:12 UTC 
Yes, please feel free to submit this for review.
Comment 3 John Villalovos 2008-08-19 16:09:31 UTC 
At the moment I don't have the bandwidth to do this.  It would be nice if someone else could.
Comment 4 Jason Tibbitts 2008-10-21 00:05:06 UTC 
If there's no package to review, this should certainly not be in the "Package Review" component.

I'm just going to close this.  If someone actually wants to submit a package for review, please open a regular package review ticket.  If someone wants to keep this open, please change the component to something proper so that it doesn't appear in the package review queue.