On 4 July 2013 16:59, Tormod Ryeng <[email protected]> wrote: > On 07/04/2013 04:44 PM, Anders Ingemann wrote: >> >> On 4 July 2013 16:37, Tormod Ryeng <[email protected]> wrote: >>> >>> The AWS EC2 AMIs on >>> >>> https://aws.amazon.com/marketplace/seller-profile/ref=srh_res_product_vendor?ie=UTF8&id=890be55d-32d8-4bc8-9042-2b4fd83064d5 >>> (linked to from http://wiki.debian.org/Cloud/AmazonEC2Image) give the >>> same >>> ECDSA key fingerprint for every instance when SSHing to the instances. >>> The >>> host keys should be generated during the first boot-up of the instance, >>> but >>> seem to be static. >>> >>> I would assume that anyone using e.g. ami-ddbeafa9 gets the fingerprint >>> f9:c4:2a:ee:20:5e:66:c2:fc:76:12:63:53:13:9e:dc. >>> >>> We've only tested the eu-west 64-bit AMI and some of the RightScale >>> images >>> listed on the wiki, and they've all had the same problem. >>> >>> I don't know whether this is a bug in the tools used to create the images >>> or >>> not. > > >> Whoa, that is weird, to say the least. >> I remove the keys when creating the ami >> >> (https://github.com/andsens/build-debian-cloud/blob/master/tasks/60-cleanup) >> and create new ones at first boot >> >> (https://github.com/andsens/build-debian-cloud/blob/master/init.d/generate-ssh-hostkeys). >> Do we have an entropy problem?!?! > > > Ah, that's probably the bug, right there. I guess you'll need to remove and > generate /etc/ssh/ssh_host_ecdsa_key as well? > > admin@ip-10-227-121-70:/etc/ssh$ ssh-keygen -lf /etc/ssh/ssh_host_ecdsa_key > 256 f9:c4:2a:ee:20:5e:66:c2:fc:76:12:63:53:13:9e:dc > root@domU-12-31-39-0A-91-E9 (ECDSA) > > -- > Regards, > Tormod Ryeng
I created a pull request to my own repo: https://github.com/andsens/build-debian-cloud/pull/79 The reason for that is that it's 00:21 in denmark. Also I'm currently a bit drunk from an event at work and I am sure that the ballmer peak feels different :-) I would welcome anybodies effort to verify that it works (and also if the bug is fixed). If so, I'll merge in the morning. *added jimmy to list of recipients. Jimmy and James: I would say this requires us to retract any existing wheezy images out there and issue a statement about a potential security risk when using Elliptic Curve cryptography to verify an SSH host, i.e. hosts can be spoofed. To fix it on existing machines, one can run: rm /etc/ssh/ssh_host_ecdsa_key ssh-keygen -f /etc/ssh/ssh_host_ecdsa_key -t ecdsa -C 'host' -N '' @debian-security: What is procedure here? Should this thread be hidden from the public mailing list for a while or do we just keep this information accessible? -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/camcogxh8arqgrbpkdcfxodsni5fckchxtu4hj1crdvohjns...@mail.gmail.com
