Weak host-keys are not replaced during openssh update

Markus Schönhaber ubuntu-users at list-post.mks-mail.de
Tue May 13 19:40:25 UTC 2008

Mario Vukelic wrote:

> On Tue, 2008-05-13 at 20:49 +0200, Mario Vukelic wrote:
>> Maybe this: <snip>
> Um, probably not. 
> Upon reflection I think that the upgrade does not replace any keys at
> all. You need to do that yourself. At least that#s what the Debian
> announcement says:
> "It is strongly recommended that all cryptographic key material which
> has been generated by OpenSSL versions starting with 0.9.8c-1 on Debian
> systems is recreated from scratch."
> http://article.gmane.org/gmane.linux.debian.security.announce/1614

Which would contradict the section of the USN I cited.

Anyway, the culprit is a temporary blindness on my part which prevented
me from seeing that aptitude safe-upgrade did keep the update of
openssh-server back. What makes this even harder to bear for me is the
fact that I *did* read Karl Auer's post about "can't seem to get
openssh-*" before I posted my question. Well, there is no cure against
dumbness - you can only hope it doesn't hurt to much.

If one actually *does* update openssh-server, the server keys will be
Sorry for the noise.


More information about the ubuntu-users mailing list