Re: Considering dropping ssh-vulnkey from openssh-client

To: debian-devel@lists.debian.org,debian-ssh@lists.debian.org
Subject: Re: Considering dropping ssh-vulnkey from openssh-client
From: Scott Kitterman <debian@kitterman.com>
Date: Sat, 14 Sep 2013 23:07:24 -0400
Message-id: <[🔎] 1c05c181-2a5a-48cb-8f80-a4e80f1e51c5@email.android.com>
In-reply-to: <[🔎] 20130914234748.GA23558@riva.ucam.org>
References: <[🔎] 20130914214913.GL480@riva.ucam.org> <[🔎] 5390339.vWLLJmp7uf@scott-latitude-e6320> <[🔎] 20130914234748.GA23558@riva.ucam.org>


Colin Watson <cjwatson@debian.org> wrote:
>On Sat, Sep 14, 2013 at 06:45:27PM -0400, Scott Kitterman wrote:
>> In the course of some research I was doing recently I recall running
>across a 
>> survey that someone had done about SSH keys in use on the internet. 
>My vague 
>> recollection (it was completely tangential to what I was looking for)
>was that 
>> it found that something like 0.04% of current internet visible keys
>were 
>> vulnerable.
>
>I think you may be thinking of this paper:
>
>  https://factorable.net/weakkeys12.conference.pdf
>
>That lists 53141 live hosts (0.52%) under the category "using Debian
>weak keys" (the percentage for TLS was 0.03%, close to your
>recollection).  From the context of the rest of the paper I understand
>that it is referring to SSH host keys.
>
>This is indeed an alarming number.  However, I can only see a couple of
>possibilities here:
>
> * The host might be running a version of etch without the patches for
>   DSA-1576 applied (perhaps it's an embedded device with little in the
>   way of upgrade provision, or perhaps it's just negligent sysadmin).
>   In this case they have no direct upgrade path to jessie anyway; they
>   would have to upgrade via at least one of lenny and squeeze, either
>   of which will automatically regenerate vulnerable host keys on
>   upgrade.
>
> * The host might be running something newer, but have taken deliberate
>   action to restore the vulnerable host keys after
>   openssh-server.postinst regenerated them and to disable the
>   blacklisting.  In this case there is no reason to suppose that
>   carrying ssh-vulnkey and friends for longer will make any more
>   difference than it already has.
>
>My gut feeling is that there are many more of the former than the
>latter, on the grounds that negligence is generally more likely than
>deliberate action, although from the confused bug mail I got at the
>time
>(from people who didn't realise that we weren't specifically locking
>them out of their systems, we were locking *the rest of the world* out
>of their systems), I expect a few of the latter too.
>
>Are there any other possibilities here where continuing to carry the
>vulnerability-checking code will actually help?  I'm particularly
>interested if anyone has experience dealing with cleaning up such a
>system they found under a rock.

Yes. I think that's it.

I don't think I know enough to have an opinion on if the risks of keeping it outweigh the risks of getting rid of it.  Now that you've got the data to consider, I'm happy however you choose. 

Thanks,

Scott K

Reply to:

References:
- Considering dropping ssh-vulnkey from openssh-client
  - From: Colin Watson <cjwatson@debian.org>
- Re: Considering dropping ssh-vulnkey from openssh-client
  - From: Scott Kitterman <debian@kitterman.com>
- Re: Considering dropping ssh-vulnkey from openssh-client
  - From: Colin Watson <cjwatson@debian.org>

Prev by Date: Bug#492382: marked as done (needs to check /usr/share/ssh for blacklisted keys)
Next by Date: Re: Considering dropping ssh-vulnkey from openssh-client
Previous by thread: Re: Considering dropping ssh-vulnkey from openssh-client
Next by thread: Re: Considering dropping ssh-vulnkey from openssh-client
Index(es):
- Date
- Thread