On Thu, 2008-05-15 at 10:02 +0100, Dave Ewart wrote: > Debian (and thus also Ubuntu) have released updated openssh packages > which include a new tool called ssh-vulnkey which can be used to check > the running system[1] for vulnerable keys: ssh-vulnkey works similarly > to the Perl script in the Debian announcement.
That is not 100% effective (afiak). Its still advised that you toss any key that you are not 100% certain came from a non-effected system for every user. They can always go back in once your sure that they are safe. > I believe the original assessment was correct: *all* systems running SSH > ought to check for these vulnerable keys, not just those systems running > Debian or derivatives. Correct, It is a user propagated issue. Its best to just chuck all keys for now and put them back as you're sure that they did not come from a buggy keygen. > Yes, it's Debian's "fault", but we all have to > manage the consequences. Shit happens :) -- Monkey + Typewriter = Echoreply ( http://echoreply.us )
