can't seem to get openssh-*

NoOp glgxg at sbcglobal.net
Wed May 14 00:07:32 UTC 2008 

On 05/13/2008 04:53 PM, Karl Auer wrote:

> But as first reported, that resulted in openssh-client and
> openssh-server being "kept back".
> 
> Then I tried specifically upgrading those two packages:
> 
>    sudo apt-get upgrade openssh-client openssh-server
> 
> The same result - these two packages were "kept back".
> 
> But your last suggestion was the key:
> 
>>     However, if you tell apt-get to explicitly install a package it will
>> install the latest version, pulling in any dependencies.  Since this is
>> in response to a specific vulnerability then tell apt-get exactly what
>> you want it to do.
>> 
>> apt-get install openssh-client openssh-server
> 
> That worked. And it installed a dependency too, namely
> openssh-blacklist.
> 
> I now suspect that the packages openssh-client and openssh-server were
> NOT installed at all before I tried to upgrade them. Because I clearly
> DID have the sshd server and the ssh client installed, I assumed it was
> from packages with those names. How can I check this theory?
> 
> But: These packages are NOT actually needed, according to the security
> alert. You only need to upgrade the library. So I'm really not sure
> what's going on. Maybe those programs are statically compiled (would
> make sense).
> 
> Anyway, the "kept back" packages are installed now. Thanks for your
> help.
> 

FWIW: I experienced the same problem (Gutsy) and they were indeed and
working just fine on my machine. Following todays update & a bit of
reconfiguration my *hardy* machines are well again & working, including
ssh & NX.

However, my gutsy machine is totally borked for ssh, sshd, and NX. I've
removed/purged all of my ssh related packages (including NX), deleted
the /etc/ssh and .ssh folders, reinstalled ssh & openssh-server, and I
*still* can't get them to work. I keep getting:

COMPROMISED: 2048 93:ea:3e:be:1e:c2:fc:9c:62:f7:a1:eb:6d:db:d4:b3
/etc/ssh/ssh_host_rsa_key.pub
COMPROMISED: 1024 71:49:c8:be:eb:9d:d4:8e:3c:42:a4:f4:94:af:ce:9a
/etc/ssh/ssh_host_dsa_key.pub

Those are the keys that were generated by reinstalling openssh-server.
Reinstall also results in:

====
Some of the OpenSSH server host keys on this system were generated with
a version of OpenSSL that had a broken random number generator. As a
result, these host keys are from a well-known set, are subject to
brute-force attacks, and must be regenerated.

Users of this system should be informed of this change, as they will be
prompted about the host key change the next time they log in. Use
'ssh-keygen -l -f HOST_KEY_FILE' after the upgrade has changed to print
the fingerprints of the new host keys.

The affected host keys are:

/etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_dsa_key
====

So I don't know what the heck is going on. I figure I'll wait until
tomorrow and watch the bug reports to see if someone else comes up with
a solution.

More information about the ubuntu-users mailing list