On 5/07/2013 6:22 AM, Anders Ingemann wrote:
On 4 July 2013 16:59, Tormod Ryeng <firstname.lastname@example.org> wrote:Ah, that's probably the bug, right there. I guess you'll need to remove and generate /etc/ssh/ssh_host_ecdsa_key as well? admin@ip-10-227-121-70:/etc/ssh$ ssh-keygen -lf /etc/ssh/ssh_host_ecdsa_key 256 f9:c4:2a:ee:20:5e:66:c2:fc:76:12:63:53:13:9e:dc root@domU-12-31-39-0A-91-E9 (ECDSA)I created a pull request to my own repo: https://github.com/andsens/build-debian-cloud/pull/79 The reason for that is that it's 00:21 in denmark. Also I'm currently a bit drunk from an event at work and I am sure that the ballmer peak feels different :-) I would welcome anybodies effort to verify that it works (and also if the bug is fixed). If so, I'll merge in the morning. *added jimmy to list of recipients. Jimmy and James: I would say this requires us to retract any existing wheezy images out there and issue a statement about a potential security risk when using Elliptic Curve cryptography to verify an SSH host, i.e. hosts can be spoofed.
Good morning all. I've grabbed the patch, and have generated a fresh AMIs in US East 1, available now. I have launched two instances from this, and confirm they successfully generated unique ECDSA host keys. I'm currently replicating around the Regions, and putting updates into the wiki page. I am dubbing this as 7.1a, with a note about the ECC host key (and the cleanup from Anders). I'll post again when all AMIs are available worldwide.
Thanks to Tormod for spotting this - much appreciated, and for Anders' quick patch. Based upon my successful regeneration, Anders, Id say 'merge' and then tag to 7.1a (unless we have suggestions for another release number to differentiate from out original 7.1 AMIs).
@debian-security: What is procedure here? Should this thread be hidden from the public mailing list for a while or do we just keep this information accessible?
Please email me at email@example.com and firstname.lastname@example.org and/or call me on my cell (below) for anything urgent (I'm at GMT +0800 this week).
Mobile: +61 422 166 708, Email: james_AT_rcpt.to