Bug#481446: marked as done (openssh-server: openssh does not start complaining about comprimised keys with new generated keys)
Your message dated Fri, 16 May 2008 10:32:47 +0100
with message-id <20080516093246.GS16645@riva.ucam.org>
and subject line Re: Bug#481446: openssh-server: openssh does not start complaining about comprimised keys with new generated keys
has caused the Debian Bug report #481446,
regarding openssh-server: openssh does not start complaining about comprimised keys with new generated keys
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
481446: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=481446
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: openssh-server
Version: 1:4.3p2-9etch1
Severity: important
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-5-xen-686
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages openssh-server depends on:
ii add 3.102 Add and remove users and groups
ii deb 1.5.11etch1 Debian configuration management sy
ii dpk 1.13.25 package maintenance system for Deb
ii lib 2.6.1-6 GNU C Library: Shared libraries
ii lib 1.39+1.40-WIP-2006.11.14+dfsg-2etch1 common error description library
ii lib 1.4.4-7etch5 MIT Kerberos runtime libraries
ii lib 0.79-5 Pluggable Authentication Modules f
ii lib 0.79-5 Runtime support for the PAM librar
ii lib 0.79-5 Pluggable Authentication Modules l
ii lib 1.32-3 SELinux shared libraries
ii lib 0.9.8g-1 SSL shared libraries
ii lib 7.6.dbs-13 Wietse Venema's TCP wrappers libra
ii ope 0.1.1 list of blacklisted OpenSSH RSA an
ii ope 1:4.3p2-9etch1 Secure shell client, an rlogin/rsh
ii zli 1:1.2.3.3.dfsg-6 compression library - runtime
openssh-server recommends no packages.
-- debconf information:
* ssh/vulnerable_host_keys:
ssh/new_config: true
* ssh/use_old_init_script: true
ssh/encrypted_host_key_but_no_keygen:
ssh/disable_cr_auth: false
Subject: openssh-server: openssh does not start complaining about comprimised keys with new generated keys
Package: openssh-server
Version: 1:4.3p2-9etch1
Severity: important
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-5-xen-686
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages openssh-server depends on:
ii add 3.102 Add and remove users and groups
ii deb 1.5.11etch1 Debian configuration management sy
ii dpk 1.13.25 package maintenance system for Deb
ii lib 2.6.1-6 GNU C Library: Shared libraries
ii lib 1.39+1.40-WIP-2006.11.14+dfsg-2etch1 common error description library
ii lib 1.4.4-7etch5 MIT Kerberos runtime libraries
ii lib 0.79-5 Pluggable Authentication Modules f
ii lib 0.79-5 Runtime support for the PAM librar
ii lib 0.79-5 Pluggable Authentication Modules l
ii lib 1.32-3 SELinux shared libraries
ii lib 0.9.8g-1 SSL shared libraries
ii lib 7.6.dbs-13 Wietse Venema's TCP wrappers libra
ii ope 0.1.1 list of blacklisted OpenSSH RSA an
ii ope 1:4.3p2-9etch1 Secure shell client, an rlogin/rsh
ii zli 1:1.2.3.3.dfsg-6 compression library - runtime
openssh-server recommends no packages.
-- debconf information:
* ssh/vulnerable_host_keys:
ssh/new_config: true
* ssh/use_old_init_script: true
ssh/encrypted_host_key_but_no_keygen:
ssh/disable_cr_auth: false
Hi,
I was updating my servers with the latest openssh patch. On one of the servers
openssh refused to start again complaining about compromised keys in
/etc/ssh/ssh_host_[r|d]sa_key
But I did re-create these keys and check it agains the blacklists.
Fingerprint of the new DSA key:
68:62:e5:a7:19:43:82:8e:f4:3f:32:d9:ec:8c:d4:bc
which is NOT listed in the blacklist.DSA-1024
If I do a /etc/init.d/ssh restart
ssh is complaining about COMPROMISED host key and refuses to start. Very
annoying if you do not have direct access to the computer.
Michael.
--- End Message ---
--- Begin Message ---
On Fri, May 16, 2008 at 10:12:22AM +0200, Michael Schwartzkopff wrote:
> I was updating my servers with the latest openssh patch. On one of the
> servers openssh refused to start again complaining about compromised
> keys in /etc/ssh/ssh_host_[r|d]sa_key
> But I did re-create these keys and check it agains the blacklists.
> Fingerprint of the new DSA key:
> 68:62:e5:a7:19:43:82:8e:f4:3f:32:d9:ec:8c:d4:bc
> which is NOT listed in the blacklist.DSA-1024
It actually is in the blacklist. Bear in mind that blacklist.DSA-1024
only has the last 80 bits of each fingerprint, for space reasons:
828ef43f32d9ec8cd4bc
Make sure that you have upgraded libssl0.9.8.
> If I do a /etc/init.d/ssh restart ssh is complaining about COMPROMISED
> host key and refuses to start. Very annoying if you do not have direct
> access to the computer.
I'm sorry that it's inconvenient, but is it worse not to be able to log
into your machine, or to have everyone on the Internet have access to
your machine?
Cheers,
--
Colin Watson [cjwatson@debian.org]
--- End Message ---
Reply to: