[Secure-testing-team] Bug#484055: dropbear should support openssh-blacklist-* integration
Matthew Hall
mhall at mhcomputing.net
Mon Jun 2 05:30:11 UTC 2008
Package: dropbear
Version: 0.51-1
Severity: normal
Tags: security
The dropbear server should include support for disallowing the usage of
blacklisted SSH keys generated on systems which were vulnerable to
DSA-1576-1 [1].
This support is included in openssh to protect the integrity of systems
that have been updated to patch DSA-1576-1 [1]:
<<This update contains a dependency on the openssl update and will
automatically install a corrected version of the libssl0.9.8 package,
and a new package openssh-blacklist.
Once the update is applied, weak user keys will be automatically
rejected where possible (though they cannot be detected in all cases).
If you are using such keys for user authentication, they will
immediately stop working and will need to be replaced.>>
Please consider adding support for the openssh blacklist files to
dropbear as well as a recommends dependency on the openssh blacklist
files (preferably not mandatory dependency since dropbear is used in
embedded environments in some cases).
Thanks and Regards,
Matthew Hall
[1] http://www.debian.org/security/2008/dsa-1576
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (x86_64)
Kernel: Linux 2.6.18.8-xen (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages dropbear depends on:
ii libc6 2.7-11 GNU C Library: Shared libraries
ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime
dropbear recommends no packages.
-- no debconf information
More information about the Secure-testing-team
mailing list