[Secure-testing-team] Bug#481853: [openssh-client] "ssh-vulnkey -a" does not see the weak keys of the user

Anthony DeRobertis anthony at derobert.net
Mon May 19 14:40:18 UTC 2008


On Mon, May 19, 2008 at 09:58:20AM +0100, Dominic Hargreaves wrote:
> Deleting a known_hosts file containing weak keys will not gain you any
> security (rather, it'll lose you security unless you rigourously check
> all the fingerprints of the host keys that used to be stored there).

Correct me if I'm wrong, but there really isn't much of a security
difference between just saying "yes" to the prompt and trusting the weak
key to verify the host. Well, other than that when you say "yes", at
least you know that you're trusting w/o any verification.

I'd suggest that OpenSSH should refuse to connect to a host with a
compromised host key. Or at least put up a message no less scary than
the man-in-the-middle one.



More information about the Secure-testing-team mailing list