Weak host-keys are not replaced during openssh update

Derek Broughton news at pointerstop.ca
Tue May 20 01:26:50 UTC 2008

Mario Vukelic wrote:

> On Tue, 2008-05-13 at 20:49 +0200, Mario Vukelic wrote:
>> Maybe this: <snip>
> Um, probably not.
> Upon reflection I think that the upgrade does not replace any keys at
> all. You need to do that yourself. At least that#s what the Debian
> announcement says:
> "It is strongly recommended that all cryptographic key material which
> has been generated by OpenSSL versions starting with 0.9.8c-1 on Debian
> systems is recreated from scratch."
> http://article.gmane.org/gmane.linux.debian.security.announce/1614

I got a prompt when I installed that seemed to replace some keys.  I then
ran ssh-vulnkey to find the others and deleted all the ones that were
obsolete anyway, and now don't have any that are actually known to be
compromised (though there are still a couple of "unknown"s).

More information about the ubuntu-users mailing list