On Fri, Jul 05, 2013 at 12:22:59AM +0200, Anders Ingemann wrote: > *added jimmy to list of recipients. > Jimmy and James: I would say this requires us to retract any existing > wheezy images out there and issue a statement about a potential > security risk when using Elliptic Curve cryptography to verify an SSH > host, i.e. hosts can be spoofed.
It's a bit late to hide this thread from the public - debian-cloud@ is archived by plenty of third-party list archives. :) That said, currently the Google-specific startup scripts which are installed in Google Compute Engine images handle this correctly, removing all three types of keys on first boot (clearly a bit of the distro-independent logic there overlaps with build-debian-cloud). Therefore the Google images shouldn't be vulnerable. It would be great if someone reading this would test - I'm rushing to prepare for holiday travel, but pushing out images in line with actual urgency can be done from my trip. If you want to help more with Google Compute Engine images but don't have access, send me a Google account and I can give you access to a free-billing but shared/small-quota project. - Jimmy Kaplowitz [email protected] -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
