[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#481860: openssh-server upgrade didn't remove all compromised keys from /etc/ssh

On 2008-05-19 10:35:58 +0200, Vincent Lefevre wrote:
> On 2008-05-19 07:26:29 +0100, Colin Watson wrote:
> > On Mon, May 19, 2008 at 04:28:46AM +0200, Vincent Lefevre wrote:
> > > When I upgraded openssh-server, ssh_host_dsa_key has been replaced
> > > because it was compromised, but not ssh_host_rsa_key, but this one
> > > was compromised too!
> > 
> > What does 'grep -i hostkey /etc/ssh/sshd_config' say?
> 
> vin:~> grep -i hostkey /etc/ssh/sshd_config
> # HostKeys for protocol version 2
> HostKey /etc/ssh/ssh_host_rsa_key
> HostKey /etc/ssh/ssh_host_dsa_key

On another Debian machihe, I can see that ssh-vulnkey outputs
"Unknown (no blacklist information)" for the RSA key, probably
because openssh-blacklist-extra isn't installed on this machine.

The description field of openssh-blacklist-extra says:
"list of non-default blacklisted OpenSSH RSA and DSA keys"

I wonder why "non-default", because all these keys were generated
automatically when Debian was installed.

-- 
Vincent Lefèvre <vincent@vinc17.org> - Web: <http://www.vinc17.org/>
100% accessible validated (X)HTML - Blog: <http://www.vinc17.org/blog/>
Work: CR INRIA - computer arithmetic / Arenaire project (LIP, ENS-Lyon)
Reply to: