[Bug 230632] [NEW] ssh-vulnkey doesnt check all keys. Also, it would be nice to extend the warning message.

LimCore user.ubuntu at limcore.com
Thu May 15 09:07:50 BST 2008 

*** This bug is a security vulnerability ***

Public security bug reported:

Not all keys can be checked with ssh-vulnkey,  and users forget that they need to take care of servers used by them that did accept the weak keys.
I think we should at least warn about that.

Details:

1) ssh-vulnkey can not check DSA keys that are in non standard locations, or that are on removable media like usb keys.
At least inform user about that and instruct to run ssh-vulnkey by hand.
More sure solution: modify ssh to always check the key that is about to be used. 
But more work (and double check! i.e. do not store the key being check in /tmp or something!)

2) someone should probably warn users that just installing the fix, and regenerating the key 
is not enough to be 100% safe from this bug consequences, that is:

a) servers that where set to accept the weak key may have been already compromised. To be really sure, 
admin should reinstall them.
b) the same for your own box, if you log into own box using public key
c) remember to remove wrong keys from .authorized_keys or update server software to do that (or warn server admin)


I'm not security specialist,  so I first consulted the above with advanced users, admins, developers.
I also noted how most "regular users" thought that just installing upgrade is enought and they can forget about the issue.

I dont want to read on slashdot next month how thousands small serves where compromised because users didnt realize that
they told servers to accept their weak keys and server where not maintained well,  so please - lets warn the users.

** Affects: openssh (Ubuntu)
     Importance: Undecided
         Status: New

** Visibility changed to: Public

-- 
ssh-vulnkey doesnt check all keys. Also, it would be nice to extend the warning message.
https://bugs.launchpad.net/bugs/230632
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openssh in ubuntu.

More information about the Ubuntu-server-bugs mailing list