Weak host-keys are not replaced during openssh update
Derek Broughton
news at pointerstop.ca
Tue May 20 01:26:50 UTC 2008
Mario Vukelic wrote:
> On Tue, 2008-05-13 at 20:49 +0200, Mario Vukelic wrote:
>> Maybe this: <snip>
>
> Um, probably not.
>
> Upon reflection I think that the upgrade does not replace any keys at
> all. You need to do that yourself. At least that#s what the Debian
> announcement says:
>
> "It is strongly recommended that all cryptographic key material which
> has been generated by OpenSSL versions starting with 0.9.8c-1 on Debian
> systems is recreated from scratch."
>
> http://article.gmane.org/gmane.linux.debian.security.announce/1614
I got a prompt when I installed that seemed to replace some keys. I then
ran ssh-vulnkey to find the others and deleted all the ones that were
obsolete anyway, and now don't have any that are actually known to be
compromised (though there are still a couple of "unknown"s).
--
derek
More information about the ubuntu-users
mailing list