[Bug 232391] [NEW] DSA keys are not immediately rejected by ssh in workstation
Xeno Campanoli
xeno at eskimo.com
Wed May 21 04:00:10 BST 2008
*** This bug is a security vulnerability ***
Public security bug reported:
I noticed today that my Ubuntu-Server was rejecting my old dsa public
key by prompting me for a password anyway. This is good. However, when
I went into my CentOS server, it blithely accepted the public key and I
could get on without a password. It's my impression that that old
public key could have been compromised, and needed to be rejected, but
it needed to be rejected by the ssh on my workstation too, as otherwise
I would have been able to still use it on machines other than Ubuntu-
Servers. RedHat flavors it sounds like may never get around to
rejecting keys in this range, so they would all be compromised. It
would be very good if Ubuntu/Debian could force their workstation users
to make new keys also, unless for some reason this is deemed
unnecessary, in which case it is curious that Ubuntu-Server is rejecting
them.
** Affects: openssh (Ubuntu)
Importance: Undecided
Status: New
** This bug has been flagged as a security issue
--
DSA keys are not immediately rejected by ssh in workstation
https://bugs.launchpad.net/bugs/232391
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openssh in ubuntu.
More information about the Ubuntu-server-bugs
mailing list