Bug#481860: openssh-server upgrade didn't remove all compromised keys from /etc/ssh

[Raphael Hertzog <hertzog@debian.org>]

On Mon, 19 May 2008, Vincent Lefevre wrote:
> On another Debian machihe, I can see that ssh-vulnkey outputs
> "Unknown (no blacklist information)" for the RSA key, probably
> because openssh-blacklist-extra isn't installed on this machine.
> 
> The description field of openssh-blacklist-extra says:
> "list of non-default blacklisted OpenSSH RSA and DSA keys"
> 
> I wonder why "non-default", because all these keys were generated
> automatically when Debian was installed.

non-default because ssh-keygen does generate 2048 bits keys for
RSA by default since quite some time and the postinst doesn't
give an explicit size when it creates the keys.

openssh (1:4.2p1-1) unstable; urgency=low
[...]
    - Increase the default size of new RSA/DSA keys generated by ssh-keygen
      from 1024 to 2048 bits (closes: #181162).
[...]
 -- Colin Watson <cjwatson@debian.org>  Wed, 14 Sep 2005 15:16:14 +0100

So either this key got installed/generated manually, or it was
generated with an old SSH version running with a bad libssl,
or (unlikely) the key was generated normally and you simply
happen to have generated one of the bad ones.

I don't think this bug warrants its "grave" status.

Cheers,
-- 
Raphaël Hertzog

Le best-seller français mis à jour pour Debian Etch :
http://www.ouaza.com/livre/admin-debian/