Re: EC2 images
On Fri, Jul 05, 2013 at 12:22:59AM +0200, Anders Ingemann wrote:
> *added jimmy to list of recipients.
> Jimmy and James: I would say this requires us to retract any existing
> wheezy images out there and issue a statement about a potential
> security risk when using Elliptic Curve cryptography to verify an SSH
> host, i.e. hosts can be spoofed.
It's a bit late to hide this thread from the public - debian-cloud@ is archived
by plenty of third-party list archives. :)
That said, currently the Google-specific startup scripts which are installed in
Google Compute Engine images handle this correctly, removing all three types of
keys on first boot (clearly a bit of the distro-independent logic there
overlaps with build-debian-cloud). Therefore the Google images shouldn't be
vulnerable.
It would be great if someone reading this would test - I'm rushing to prepare
for holiday travel, but pushing out images in line with actual urgency can be
done from my trip. If you want to help more with Google Compute Engine images
but don't have access, send me a Google account and I can give you access to a
free-billing but shared/small-quota project.
- Jimmy Kaplowitz
jimmy@debian.org
Reply to: