ssh-keygen still gives vulnerable keys

To: debian-security@lists.debian.org
Subject: ssh-keygen still gives vulnerable keys
From: "R. W. Rodolico" <techinfo@dailydata.net>
Date: Tue, 03 Jun 2008 19:22:35 -0500
Message-id: <[🔎] 4845E04B.60702@dailydata.net>
Reply-to: techinfo@dailydata.net

I found that one of our clients servers had not been updated in almost a
year, so I updated it. This included the recent fixes to the ssh
problem. The reason for the service call was that it was not backing up
to its backup server, which happens as an rsync over ssh cron job.
Performing the update (including the openssh server and client) did not
fix the problem and, ssh-vulnkey still reported the host keys and the
key used for backup as vulnerable.

I regenerated the backup users key and ssh-vulnkey still reported it as
vulnerable and it would not connect to the backup server. I then removed
the .ssh directory and all entries on the backup server, and regenerated
again, with the same results. I generated a new dsa key, attempted to
log into another remote server, and this failed also.

I then performed a kernel update (one was out there) and rebooted.
Unfortunately, somewhere in the process I locked myself out of remote
access (ssh refuses my connection now), so I can not troubleshoot more
until the client is back in their office tomorrow.

Any ideas on why ssh-keygen would continue to create vulnerable keys
after the update?

Rod

Reply to:

Follow-Ups:
- Re: ssh-keygen still gives vulnerable keys
  - From: Stephen Gran <sgran@debian.org>
- Re: ssh-keygen still gives vulnerable keys
  - From: Dan Christensen <jdc@uwo.ca>

Prev by Date: Re: instructions for Bacula /openssl vulnerability [corrected/revised]
Next by Date: Re: ssh-keygen still gives vulnerable keys
Previous by thread: Re: instructions for Bacula /openssl vulnerability [corrected/revised]
Next by thread: Re: ssh-keygen still gives vulnerable keys
Index(es):
- Date
- Thread