For people not using debian, the ssh-vulnkey logic has been repackaged
with dependencies as a CPAN distribution and should be installable
anywhere that has a Perl installation, including on Windows using
Strawberry Perl (http://strawberryperl.com).
http://search.cpan.org/dist/Dowse-BadSSH/
The package is going through a couple of releases a day as it gets
tweaked and cross-platform bugs are excised, so if you have any
difficulties with it, wait 24 hours or so and try again.
Adam K
Peter Chubb wrote:
Just in case anyone missed it, there's been a major vulnerability for
any SSH keys generated on a debian system over the last two years or
so ... apparently the random number generator wasn't being seeded
right, so only a few distinct keys were actually generated.
The AARNET mirror doesn't have the updated packages as of this
morning, but the Optusnet mirror does ... I suggest that
-- you install the new openssh-client package (version 1:4.7p1-9 on unstable)
-- run ssh-vulnkey -a as root to find any vulnerable keys, and get
your users to fix them.
--
Dr Peter Chubb http://www.gelato.unsw.edu.au peterc AT gelato.unsw.edu.au
http://www.ertos.nicta.com.au ERTOS within National ICT Australia
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
