CW> But that's OK; any keys that would be detected by ssh-vulnkey will also CW> be blacklisted automatically by sshd.
Well all I know is that I do my sid upgrades, and my friends emailed me to tell me I had things needing replacing on their machines. I don't run sshd but often use ssh... CW> (Did you know about the blacklisting? Your bug suggests that you didn't, CW> or didn't quite understand what's going on here.) (Actually I purposely don't research to far into it. This allows me to give you the rare voice from the dumbest user (but still knows how to use the BTS) point of view. Indeed, I bet Windows users have some wizard program to set up their first ~/.ssh/* much easier than we GNU/Linux who have to go reading instructions from man pages.) All I know is "usual security upgrade routine... done. Check apt-listchanges for anything with lots of asterisks etc... done" >> Also please emit a message about what action one should take, or tell >> them to see the man page, when bad things are found. CW> Thanks, I've implemented this. CW> # Some keys on your system have been compromised! CW> # You must replace them using ssh-keygen(1). CW> # CW> # See the ssh-vulnkey(1) manual page for further advice. OK, I suppose that's good but of course I'm no expert. Wait, also mention the importance of cleaning up keys that one has put on remote machines as well as this machine. Also say it on the man page. Indeed my friend told me to replace all my keys on his machine, which I did. Then the next week he told me I had replaced them with compromised keys... indeed, I just copied them from machine C to machine B, without ever thinking about regenerating them first. So fortunately some users are as dumb as me here, else you wouldn't know the magnitude of the education problem. Indeed, education won't work anyway, as e.g., I have to read all the ssh man pages all over again whenever I want to make a new remote machine not need a password to login. OK, thanks for adding more instructions and warnings. Maybe at least add something to the apt-listchanges news stuff with lots of asterisks saying root should do ssh-vulnkey -a and then what to do if something is detected. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
