On Sat, Sep 14, 2013 at 06:45:27PM -0400, Scott Kitterman wrote: > In the course of some research I was doing recently I recall running across a > survey that someone had done about SSH keys in use on the internet. My vague > recollection (it was completely tangential to what I was looking for) was > that > it found that something like 0.04% of current internet visible keys were > vulnerable.
I think you may be thinking of this paper: https://factorable.net/weakkeys12.conference.pdf That lists 53141 live hosts (0.52%) under the category "using Debian weak keys" (the percentage for TLS was 0.03%, close to your recollection). From the context of the rest of the paper I understand that it is referring to SSH host keys. This is indeed an alarming number. However, I can only see a couple of possibilities here: * The host might be running a version of etch without the patches for DSA-1576 applied (perhaps it's an embedded device with little in the way of upgrade provision, or perhaps it's just negligent sysadmin). In this case they have no direct upgrade path to jessie anyway; they would have to upgrade via at least one of lenny and squeeze, either of which will automatically regenerate vulnerable host keys on upgrade. * The host might be running something newer, but have taken deliberate action to restore the vulnerable host keys after openssh-server.postinst regenerated them and to disable the blacklisting. In this case there is no reason to suppose that carrying ssh-vulnkey and friends for longer will make any more difference than it already has. My gut feeling is that there are many more of the former than the latter, on the grounds that negligence is generally more likely than deliberate action, although from the confused bug mail I got at the time (from people who didn't realise that we weren't specifically locking them out of their systems, we were locking *the rest of the world* out of their systems), I expect a few of the latter too. Are there any other possibilities here where continuing to carry the vulnerability-checking code will actually help? I'm particularly interested if anyone has experience dealing with cleaning up such a system they found under a rock. -- Colin Watson [[email protected]] -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
