Red Hat Bugzilla – Bug 447075
RFE: Add the ssh-vulnkey command to detect weak SSH keys
Last modified: 2015-05-08 09:56:30 EDT
From Bugzilla Helper: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14 Description of problem: Due to the issue with Debian and Debian derived systems generating weak keys. It would be useful to have the ssh-vulnkey application added from Debian. It might also be useful to consider the blacklist code that they have to. http://www.debian.org/security/2008/dsa-1571 http://wiki.debian.org/SSLkeys http://metasploit.com/users/hdm/tools/debian-openssl/ Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: If key created on an affected Debian system has been copied to a Fedora system you are affected. Actual Results: Expected Results: Additional info:
IMO this should be a completely separate package. I don't see any reason why to add this kludge into the base openssh source rpm. I'm willing to review it for you if you submit it for Fedora.
Yes, please feel free to submit this for review.
At the moment I don't have the bandwidth to do this. It would be nice if someone else could.
If there's no package to review, this should certainly not be in the "Package Review" component. I'm just going to close this. If someone actually wants to submit a package for review, please open a regular package review ticket. If someone wants to keep this open, please change the component to something proper so that it doesn't appear in the package review queue.