Re: EC2 images

To: debian-cloud <debian-cloud@lists.debian.org>
Subject: Re: EC2 images
From: James Bromberger <james@rcpt.to>
Date: Fri, 05 Jul 2013 09:22:13 +0800
Message-id: <[🔎] 51D61FC5.1060306@rcpt.to>
In-reply-to: <[🔎] CAMcOGXH8ARqgrbpkDCFxodSNi5fCkchxtU4hJ1CrdVOhjnSV5w@mail.gmail.com>
References: <51D55836.70600@tormod.no> <1372944338.2644.9.camel@chianamo> <[🔎] 51D588A6.5010201@tormod.no> <[🔎] CAMcOGXHV7tZ0XRVB2Cz19cMo66fhbrGH1Yw-jjUU9AMrNSjf5w@mail.gmail.com> <[🔎] 51D58DEE.30802@tormod.no> <[🔎] CAMcOGXH8ARqgrbpkDCFxodSNi5fCkchxtU4hJ1CrdVOhjnSV5w@mail.gmail.com>

On 5/07/2013 6:22 AM, Anders Ingemann wrote:

On 4 July 2013 16:59, Tormod Ryeng <tormod@tormod.no> wrote:

Ah, that's probably the bug, right there. I guess you'll need to remove and
generate /etc/ssh/ssh_host_ecdsa_key as well?

admin@ip-10-227-121-70:/etc/ssh$ ssh-keygen -lf /etc/ssh/ssh_host_ecdsa_key
256 f9:c4:2a:ee:20:5e:66:c2:fc:76:12:63:53:13:9e:dc
root@domU-12-31-39-0A-91-E9 (ECDSA)

I created a pull request to my own repo:
https://github.com/andsens/build-debian-cloud/pull/79
The reason for that is that it's 00:21 in denmark. Also I'm currently
a bit drunk from an event at work and I am sure that the ballmer peak
feels different :-)
I would welcome anybodies effort to verify that it works (and also if
the bug is fixed). If so, I'll merge in the morning.

*added jimmy to list of recipients.
Jimmy and James: I would say this requires us to retract any existing
wheezy images out there and issue a statement about a potential
security risk when using Elliptic Curve cryptography to verify an SSH
host, i.e. hosts can be spoofed.

Good morning all. I've grabbed the patch, and have generated a fresh AMIs in US East 1, available now. I have launched two instances from this, and confirm they successfully generated unique ECDSA host keys. I'm currently replicating around the Regions, and putting updates into the wiki page. I am dubbing this as 7.1a, with a note about the ECC host key (and the cleanup from Anders). I'll post again when all AMIs are available worldwide.

Thanks to Tormod for spotting this - much appreciated, and for Anders' quick patch. Based upon my successful regeneration, Anders, Id say 'merge' and then tag to 7.1a (unless we have suggestions for another release number to differentiate from out original 7.1 AMIs).

@debian-security: What is procedure here? Should this thread be hidden
from the public mailing list for a while or do we just keep this
information accessible?

Please email me at jameseb@amazon.com and james@rcpt.to and/or call me on my cell (below) for anything urgent (I'm at GMT +0800 this week).

James

--
Mobile: +61 422 166 708, Email: james_AT_rcpt.to

Reply to:

Follow-Ups:
- Re: EC2 images
  - From: James Bromberger <james@rcpt.to>

References:
- Re: EC2 images
  - From: Tormod Ryeng <tormod@tormod.no>
- Re: EC2 images
  - From: Anders Ingemann <anders@ingemann.de>
- Re: EC2 images
  - From: Tormod Ryeng <tormod@tormod.no>
- Re: EC2 images
  - From: Anders Ingemann <anders@ingemann.de>

Prev by Date: Re: EC2 images
Next by Date: Re: EC2 images
Previous by thread: Re: EC2 images
Next by thread: Re: EC2 images
Index(es):
- Date
- Thread