Re: Considering dropping ssh-vulnkey from openssh-client

[Ian Jackson <ijackson@chiark.greenend.org.uk>]

Colin Watson writes ("Re: Considering dropping ssh-vulnkey from openssh-client"):
> That lists 53141 live hosts (0.52%) under the category "using Debian
> weak keys" (the percentage for TLS was 0.03%, close to your
> recollection).  From the context of the rest of the paper I understand
> that it is referring to SSH host keys.
> 
> This is indeed an alarming number.  However, I can only see a couple of
> possibilities here:

Another possibility is that the system was installed using a
vulnerable version of Debian, but has been running a distro which does
not contain ssh-vulnkey etc., and the administrator hasn't noticed.

(Perhaps the admin even deliberately switched away from Debian when
they heard about the vulnerability, without reading the details and
discovering that that didn't fix the problem.)

> Are there any other possibilities here where continuing to carry the
> vulnerability-checking code will actually help?  I'm particularly
> interested if anyone has experience dealing with cleaning up such a
> system they found under a rock.

My suggestion above is entirely hypothetical.

Ian.