Just a gentle sanitization reminder to all of you providing and using pre-baked images:
Image builders: Please make sure there are no pre-generated sshd keys in /etc/ssh/ in your images. This will expose all those who use your images to potential MitM ssh attacks. Same goes for any keys in root and other users' ~/.ssh/ accounts - make sure the ~/.ssh folders in the root's and all other accounts are removed before you request uploading of the images. This is even more important since it could expose your authentication keys, if you have set up any in the image. Image users: Make sure you check for pre-existing ssh keys mentioned above, and delete them before using the image (sshd will generate new ones if existing ones are not there). Please report any discover of pre-existing keys in any provided images so that I can remove or sanitize them. This should all already be obvious to most of you, but considering a recent report showed that broken weak keys discovered to be generated in some disributions back in 2008 are still in use in the wild, perhaps there is not enough awareness of issues surrounding keys in the wild. Ultimately: 1) It is the responsibility of the image provider to ensure they have cleaned out the sshd keys before uploading the image. 2) It is the responsibility of the image user to ensure they have cleaned out the sshd keys before using the image. Thank you for your attention. Gordan _______________________________________________ users mailing list [email protected] http://lists.redsleeve.org/mailman/listinfo/users
