<quote who="Peter Chubb"> > Just in case anyone missed it, there's been a major vulnerability for > any SSH keys generated on a debian system over the last two years or > so ... apparently the random number generator wasn't being seeded > right, so only a few distinct keys were actually generated. > > The AARNET mirror doesn't have the updated packages as of this > morning, but the Optusnet mirror does ... I suggest that > -- you install the new openssh-client package (version 1:4.7p1-9 on unstable) > -- run ssh-vulnkey -a as root to find any vulnerable keys, and get > your users to fix them.
... and anyone running a machine that accepts ssh key authentication, even if it's not running Debian, has to care about this. Check the keys that are being used to authenticate to your hosts, and consider your recovery options carefully given that we can't detect all of the vulnerable keys. - Jeff -- OSCON 2008: Portland OR, USA http://conferences.oreilly.com/oscon/ "GNOME, launched specifically to counter a threat to our freedom, is the free software project par excellence." - Richard Stallman -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
