Bug#481860: openssh-server upgrade didn't remove all compromised keys from /etc/ssh
On Mon, 19 May 2008, Vincent Lefevre wrote:
> On another Debian machihe, I can see that ssh-vulnkey outputs
> "Unknown (no blacklist information)" for the RSA key, probably
> because openssh-blacklist-extra isn't installed on this machine.
>
> The description field of openssh-blacklist-extra says:
> "list of non-default blacklisted OpenSSH RSA and DSA keys"
>
> I wonder why "non-default", because all these keys were generated
> automatically when Debian was installed.
non-default because ssh-keygen does generate 2048 bits keys for
RSA by default since quite some time and the postinst doesn't
give an explicit size when it creates the keys.
openssh (1:4.2p1-1) unstable; urgency=low
[...]
- Increase the default size of new RSA/DSA keys generated by ssh-keygen
from 1024 to 2048 bits (closes: #181162).
[...]
-- Colin Watson <cjwatson@debian.org> Wed, 14 Sep 2005 15:16:14 +0100
So either this key got installed/generated manually, or it was
generated with an old SSH version running with a bad libssl,
or (unlikely) the key was generated normally and you simply
happen to have generated one of the bad ones.
I don't think this bug warrants its "grave" status.
Cheers,
--
Raphaël Hertzog
Le best-seller français mis à jour pour Debian Etch :
http://www.ouaza.com/livre/admin-debian/
Reply to: