Weak host-keys are not replaced during openssh update
NoOp
glgxg at sbcglobal.net
Tue May 13 20:13:52 UTC 2008
On 05/13/2008 12:40 PM, Markus Schönhaber wrote:
> Mario Vukelic wrote:
>
>> On Tue, 2008-05-13 at 20:49 +0200, Mario Vukelic wrote:
>>> Maybe this: <snip>
>>
>> Um, probably not.
>>
>> Upon reflection I think that the upgrade does not replace any keys at
>> all. You need to do that yourself. At least that#s what the Debian
>> announcement says:
>>
>> "It is strongly recommended that all cryptographic key material which
>> has been generated by OpenSSL versions starting with 0.9.8c-1 on Debian
>> systems is recreated from scratch."
>>
>> http://article.gmane.org/gmane.linux.debian.security.announce/1614
>
> Which would contradict the section of the USN I cited.
>
> Anyway, the culprit is a temporary blindness on my part which prevented
> me from seeing that aptitude safe-upgrade did keep the update of
> openssh-server back. What makes this even harder to bear for me is the
> fact that I *did* read Karl Auer's post about "can't seem to get
> openssh-*" before I posted my question. Well, there is no cure against
> dumbness - you can only hope it doesn't hurt to much.
>
> If one actually *does* update openssh-server, the server keys will be
> regenerated.
> Sorry for the noise.
>
> Regards
> mks
>
>
Worked on one machine, but the others didn't so following the upgrade I
just purged and reinstalled openssh-server. The keys then get
regenerated. Of course my NX keys are wonked as well, so it's another
fun day :-)
More information about the ubuntu-users
mailing list