Weak host-keys are not replaced during openssh update

NoOp glgxg at sbcglobal.net
Tue May 13 20:13:52 UTC 2008

On 05/13/2008 12:40 PM, Markus Schönhaber wrote:
> Mario Vukelic wrote:
>> On Tue, 2008-05-13 at 20:49 +0200, Mario Vukelic wrote:
>>> Maybe this: <snip>
>> Um, probably not. 
>> Upon reflection I think that the upgrade does not replace any keys at
>> all. You need to do that yourself. At least that#s what the Debian
>> announcement says:
>> "It is strongly recommended that all cryptographic key material which
>> has been generated by OpenSSL versions starting with 0.9.8c-1 on Debian
>> systems is recreated from scratch."
>> http://article.gmane.org/gmane.linux.debian.security.announce/1614
> Which would contradict the section of the USN I cited.
> Anyway, the culprit is a temporary blindness on my part which prevented
> me from seeing that aptitude safe-upgrade did keep the update of
> openssh-server back. What makes this even harder to bear for me is the
> fact that I *did* read Karl Auer's post about "can't seem to get
> openssh-*" before I posted my question. Well, there is no cure against
> dumbness - you can only hope it doesn't hurt to much.
> If one actually *does* update openssh-server, the server keys will be
> regenerated.
> Sorry for the noise.
> Regards
>   mks

Worked on one machine, but the others didn't so following the upgrade I
just purged and reinstalled openssh-server. The keys then get
regenerated. Of course my NX keys are wonked as well, so it's another
fun day :-)

More information about the ubuntu-users mailing list