Weak host-keys are not replaced during openssh update
Markus Schönhaber
ubuntu-users at list-post.mks-mail.de
Tue May 13 19:40:25 UTC 2008
Mario Vukelic wrote:
> On Tue, 2008-05-13 at 20:49 +0200, Mario Vukelic wrote:
>> Maybe this: <snip>
>
> Um, probably not.
>
> Upon reflection I think that the upgrade does not replace any keys at
> all. You need to do that yourself. At least that#s what the Debian
> announcement says:
>
> "It is strongly recommended that all cryptographic key material which
> has been generated by OpenSSL versions starting with 0.9.8c-1 on Debian
> systems is recreated from scratch."
>
> http://article.gmane.org/gmane.linux.debian.security.announce/1614
Which would contradict the section of the USN I cited.
Anyway, the culprit is a temporary blindness on my part which prevented
me from seeing that aptitude safe-upgrade did keep the update of
openssh-server back. What makes this even harder to bear for me is the
fact that I *did* read Karl Auer's post about "can't seem to get
openssh-*" before I posted my question. Well, there is no cure against
dumbness - you can only hope it doesn't hurt to much.
If one actually *does* update openssh-server, the server keys will be
regenerated.
Sorry for the noise.
Regards
mks
More information about the ubuntu-users
mailing list