I'll try to give context to Amos's message, as I think it is important.
If you are running an ssh server on a machine which is not Debian, and was never affected by the openssl key generation bug, you may be under the impression that there is no need to do anything. This is not exactly the case.
It is possible that some of your users were running affected machines when they generated their keys, and they placed these keys into their "authorized_keys" file on your server. This means that an attacker has a bunch of relatively small keys, well know, that she can use for public key authentication as said users to your machine.
What the ssh-vulnkey package does is to disable some known keys. In other words, people who posted known vulnerable keys into authorized_keys will not be able to use those keys in order to automatically log into your system, and neither will the attackers.
This is an important upgrade. Shachar ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
