Bug#482023: new generated keys are vulnerable
Package: openssh-server
Version: 1:4.3p2-9etch2
Severity: normal
after installing 1:4.3p2-9etch2 my host keys were regenerated, but the
new keys are reported to be vulnerable, too. I can reproduce that:
# vim /var/cache/debconf/config.dat
... delete seen flag for ssh/vulnerable_host_keys
# dpkg-reconfigure openssh-server
... message "Vulnerable host keys will be regenerated"
Creating SSH2 RSA key; this may take some time ...
Creating SSH2 DSA key; this may take some time ...
Host key 15:2b:b1:5a:26:05:5b:ca:45:39:ea:12:a2:59:ea:dc blacklisted (see ssh-vulnkey(1))
Host key 81:bc:50:f6:1e:ab:5d:82:96:ca:3c:4f:90:22:23:c5 blacklisted (see ssh-vulnkey(1))
Restarting OpenBSD Secure Shell server: sshdHost key 15:2b:b1:5a:26:05:5b:ca:45:39:ea:12:a2:59:ea:dc blacklisted (see ssh-vulnkey(1))
Host key 81:bc:50:f6:1e:ab:5d:82:96:ca:3c:4f:90:22:23:c5 blacklisted (see ssh-vulnkey(1))
.
After repeating the above receipt the key fingerprints change.
The problem is that my system has a libssl from testing (i.e. 0.9.8g-8).
Maybe openssh-server should conflict with the vulnerable versions of
libssl? Or the newly generated keys should be checked resulting in a
warning if they are still vulnerable.
A fixed libssl version for testing-proposed-updated would be
great, too. (But this it OT for this report.)
Installing libssl from unstable and reconfiguring openssh-server (after
deleting the seen flag) fixed the problem.
Best regards
Uwe
-- System Information:
Debian Release: 4.0
APT prefers proposed-updates
APT policy: (900, 'proposed-updates'), (900, 'stable'), (300, 'testing-proposed-updates'), (300, 'testing'), (200, 'unstable'), (2, 'experimental')
Architecture: amd64 (x86_64)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.24-1-amd64
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages openssh-server depends on:
ii add 3.102 Add and remove users and groups
ii deb 1.5.11etch2 Debian configuration management sy
ii dpk 1.14.16.6 package maintenance system for Deb
ii lib 2.7-10 GNU C Library: Shared libraries
ii lib 1.39+1.40-WIP-2006.11.14+dfsg-2etch1 common error description library
ii lib 1.6.dfsg.3~beta1-4 MIT Kerberos runtime libraries
ii lib 0.79-5 Pluggable Authentication Modules f
ii lib 0.79-5 Runtime support for the PAM librar
ii lib 0.99.7.1-6 Pluggable Authentication Modules l
ii lib 1.32-3 SELinux shared libraries
ii lib 0.9.8g-8 SSL shared libraries
ii lib 7.6.dbs-13 Wietse Venema's TCP wrappers libra
ii ope 0.1.1 list of blacklisted OpenSSH RSA an
ii ope 1:4.3p2-9etch2 Secure shell client, an rlogin/rsh
ii zli 1:1.2.3.3.dfsg-12 compression library - runtime
openssh-server recommends no packages.
-- debconf information:
* ssh/vulnerable_host_keys:
ssh/new_config: true
* ssh/use_old_init_script: true
ssh/encrypted_host_key_but_no_keygen:
ssh/disable_cr_auth: false
--
Uwe Kleine-König, Software Engineer
Digi International GmbH Branch Breisach, Küferstrasse 8, 79206 Breisach, Germany
Tax: 315/5781/0242 / VAT: DE153662976 / Reg. Amtsgericht Dortmund HRB 13962
Reply to: