Bug#485408: openssh-client: ssh-keygen generates COMPROMISED keys after recent upgrade

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#485408: openssh-client: ssh-keygen generates COMPROMISED keys after recent upgrade
From: Urban Braendstroem <urban.brandstrom@irf.se>
Date: Mon, 09 Jun 2008 09:40:31 +0000
Message-id: <20080609094031.3391.17949.reportbug@sofia>
Reply-to: Urban Braendstroem <urban.brandstrom@irf.se>, 485408@bugs.debian.org

Package: openssh-client
Version: 1:4.3p2-9etch2
Severity: grave
Tags: security
Justification: user security hole

ssh-keygen generates COMPROMISED keys after recent upgrade of etch

Example:
$ ssh -V     
OpenSSH_4.3p2 Debian-9etch2, OpenSSL 0.9.8e 23 Feb 2007
$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/urban/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/urban/.ssh/id_rsa.
Your public key has been saved in /home/urban/.ssh/id_rsa.pub.
The key fingerprint is:
cf:f1:d8:16:c2:2c:bf:db:de:f0:24:75:95:33:92:e0 urban@sofia
$ ssh-vulnkey
....
COMPROMISED: 2048 cf:f1:d8:16:c2:2c:bf:db:de:f0:24:75:95:33:92:e0 
/home/urban/.ssh/id_rsa.pub

The following OLDER version of ssh seems NOT to exhibit this problem:
$ ssh -V
OpenSSH_4.3p2 Debian-9etch1, OpenSSL 0.9.8c 05 Sep 2006
ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/urban/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/urban/.ssh/id_rsa.
Your public key has been saved in /home/urban/.ssh/id_rsa.pub.
The key fingerprint is:
26:3c:5d:20:96:b6:48:4b:20:80:87:2f:bb:b7:08:51 urban@urban1e
urban@urban1e:~/.ssh$ ssh-vulnkey
....
Not blacklisted: 2048 26:3c:5d:20:96:b6:48:4b:20:80:87:2f:bb:b7:08:51 
/home/urban/.ssh/id_rsa.pub
....




-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-6-686
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages openssh-client depends on:
ii  add 3.102                                Add and remove users and groups
ii  deb 1.5.13                               Debian configuration management sy
ii  dpk 1.13.25                              package maintenance system for Deb
ii  lib 2.3.6.ds1-13etch5                    GNU C Library: Shared libraries
ii  lib 1.39+1.40-WIP-2006.11.14+dfsg-2etch1 common error description library
ii  lib 2.9.cvs.20050518-3                   BSD editline and history libraries
ii  lib 1.4.4-7etch5                         MIT Kerberos runtime libraries
ii  lib 5.5-5                                Shared libraries for terminal hand
ii  lib 0.9.8e-4                             SSL shared libraries
ii  pas 1:4.0.18.1-7                         change and administer password and
ii  zli 1:1.2.3-13                           compression library - runtime

openssh-client recommends no packages.

-- no debconf information

Reply to:

Follow-Ups:
- Bug#485408: marked as done (openssh-client: ssh-keygen generates COMPROMISED keys after recent upgrade)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#483756: (no subject)
Next by Date: Bug#485408: marked as done (openssh-client: ssh-keygen generates COMPROMISED keys after recent upgrade)
Previous by thread: Processed: Re: Bug#484269: openssh-blacklist bloats small debian systems with sshd
Next by thread: Bug#485408: marked as done (openssh-client: ssh-keygen generates COMPROMISED keys after recent upgrade)
Index(es):
- Date
- Thread