Hello, Am Mittwoch, 14. Mai 2008 schrieb Florian Weimer:
> Package : openssh > Vulnerability : predictable random number generator > Problem type : remote > Debian-specific: yes > CVE Id(s) : CVE-2008-0166 > > The recently announced vulnerability in Debian's openssl package > (DSA-1571-1, CVE-2008-0166) indirectly affects OpenSSH. As a result, > all user and host keys generated using broken versions of the openssl > package must be considered untrustworthy, even after the openssl update > has been applied. [...] > 3. Check all OpenSSH user keys [...] > Check whether your key is affected by running the ssh-vulnkey tool, > included in the security update. By default, ssh-vulnkey will check the > standard location for user keys (~/.ssh/id_rsa, ~/.ssh/id_dsa and > ~/.ssh/identity), your authorized_keys file (~/.ssh/authorized_keys and > ~/.ssh/authorized_keys2), and the system's host keys > (/etc/ssh/ssh_host_dsa_key and /etc/ssh/ssh_host_rsa_key). > > To check all your own keys, assuming they are in the standard > locations (~/.ssh/id_rsa, ~/.ssh/id_dsa, or ~/.ssh/identity): > > ssh-vulnkey I took a look at it and found two large blacklist containing lots of keys - but no info on how these lists are generated - that makes me wonder: Afair DSA keys ought to be considered compromised, even if they aren't generated by a broken libssl - so what's the sense in here? For the RSA part: Is it possible that file contains non-broken keys or that broken keys are not listed? What's the criteria for RSA-keys to be listed? Thanks, Keep smiling yanosz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
