[cryptography] someone should make openssh keys expire

Ralph Holz holz at net.in.tum.de
Tue Apr 9 07:54:41 EDT 2013


Hi,

On 04/09/2013 04:05 AM, Tom Ritter wrote:
> Somebody did ;)  http://www.sshark.org/

Could I shamelessly self-advertise our notary service for SSH host keys?

ralph at firenze:~$ dig -t TXT 131.159.15.12.cbssh.net.in.tum.de

;; ANSWER SECTION:
131.159.15.12.cbssh.net.in.tum.de. 21600 IN TXT "{ip: 131.159.15.12,
[{fp: 0f:59:a5:bf:28:7f:31:a3:cc:4a:7f:10:24:f8:b1:93, first-seen:
2012-11-18 01:36:19, last-seen: 2012-11-18 01:36:19, count: 1, type:
ssh-rsa, ver: ssh2},{fp:
56:de:fb:d4:c9:99:5d:e0:36:f4:2e:fb:4d:15:68:7d, first-seen: 2012-11-18
01" ":36:35, last-seen: 2012-11-18 01:36:35, count: 1, type: ssh-dss,
ver: ssh2}]}

We have several hundred thousand IP <--> hostkey mappings there.

Here's the talk:
http://www.youtube.com/watch?v=29h21n-tyfE&t=46m26s

Admittedly, this is just a low-powered notary that we run for the fun of
it, but we're going to release code etc. for others to use.

Ralph


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20130409/20855861/attachment-0001.asc>


More information about the cryptography mailing list