Bug 447075 - RFE: Add the ssh-vulnkey command to detect weak SSH keys
Summary: RFE: Add the ssh-vulnkey command to detect weak SSH keys
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: Package Review
Version: rawhide
Hardware: All
OS: Linux
medium
high
Target Milestone: ---
Assignee: Nobody's working on this, feel free to take it
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-05-17 17:20 UTC by John Villalovos
Modified: 2015-05-08 13:56 UTC (History)
6 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2008-10-21 00:05:06 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description John Villalovos 2008-05-17 17:20:42 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14

Description of problem:
Due to the issue with Debian and Debian derived systems generating weak keys.  It would be useful to have the ssh-vulnkey application added from Debian.  It might also be useful to consider the blacklist code that they have to.

http://www.debian.org/security/2008/dsa-1571
http://wiki.debian.org/SSLkeys
http://metasploit.com/users/hdm/tools/debian-openssl/

Version-Release number of selected component (if applicable):


How reproducible:
Always


Steps to Reproduce:
If key created on an affected Debian system has been copied to a Fedora system you are affected.

Actual Results:


Expected Results:


Additional info:

Comment 1 Tomas Mraz 2008-05-18 19:32:05 UTC
IMO this should be a completely separate package. I don't see any reason why to
add this kludge into the base openssh source rpm.
I'm willing to review it for you if you submit it for Fedora.


Comment 2 Bill Nottingham 2008-05-19 20:27:12 UTC
Yes, please feel free to submit this for review.

Comment 3 John Villalovos 2008-08-19 16:09:31 UTC
At the moment I don't have the bandwidth to do this.  It would be nice if someone else could.

Comment 4 Jason Tibbitts 2008-10-21 00:05:06 UTC
If there's no package to review, this should certainly not be in the "Package Review" component.

I'm just going to close this.  If someone actually wants to submit a package for review, please open a regular package review ticket.  If someone wants to keep this open, please change the component to something proper so that it doesn't appear in the package review queue.


Note You need to log in before you can comment on or make changes to this bug.