Bug#483756: insist ssh-vulnkey -a be run by the administrator upon upgrade

To: suresh@hserus.net
Cc: cjwatson@debian.org, 483756@bugs.debian.org
Subject: Bug#483756: insist ssh-vulnkey -a be run by the administrator upon upgrade
From: jidanni@jidanni.org
Date: Mon, 02 Jun 2008 08:17:30 +0800
Message-id: <873anwk7vp.fsf@jidanni.org>
Reply-to: jidanni@jidanni.org, 483756@bugs.debian.org
References: <092a01c8c2f5$3b52d740$b1f885c0$@net>

>>>>> "S" == Suresh Ramasubramanian <suresh@hserus.net> writes:

>> Having a compromised key in ~/.ssh/authorized_keys (if that's what it
>> was) is effectively equivalent to allowing access to that account from
>> the entire Internet.

S> Obviously. Which is why I found it. Removed it. Told him to reupload it.
S> He seems to have uploaded a new compromised key. Told him about it.

When Mom told me to change my shirt, she didn't say she meant a clean
one... good thing some of us are so thick, else you would never
know... that some of us are so thick, and not adjust the warning
instructions for maximal impact...

(I saw this but don't recall being asked:
 OpenSSH host keys can be automatically regenerated when the OpenSSH security
 update is applied.  The update will prompt for confirmation before taking
 this step.
But I have a bad memory.)

Anyway, Idea: now that ssh is I suppose burdened with all these
checks, how about new protocols Ia and IIa (or 3 and 4): just like
protocols 1 and 2 but only available in newer versions that won't let
bad keys be born... OK, bye.

Reply to:

Follow-Ups:
- Bug#483756: insist ssh-vulnkey -a be run by the administrator upon upgrade
  - From: Colin Watson <cjwatson@debian.org>

Prev by Date: Bug#372680: Fixed in 4.8
Next by Date: Possible problems in your Debian packages
Previous by thread: Processed: Fixed in 4.8
Next by thread: Bug#483756: insist ssh-vulnkey -a be run by the administrator upon upgrade
Index(es):
- Date
- Thread