On Wed, May 14, 2008 at 07:43:25PM -0700, Darrin Chandler wrote:
> On Wed, May 14, 2008 at 10:22:11PM -0400, Ted Unangst wrote:
> > On 5/14/08, Ben Calvert <[EMAIL PROTECTED]> wrote:
> > > On May 14, 2008, at 5:22 PM, Darrin Chandler wrote:
> > > > Are you sure that's a decent analysis? If you have a non-debian system
> > > > with the full number of keys available, what are the chances that you've
> > > > landed on one of the 32767 keys? Not very likely. So that analysis seems
> > > > alarmist and sensational to me.
> >
> > Because nobody would ever run ssh-keygen on their ubuntu desktop and
> > copy that to authorized_keys on another computer.
>
> Sure. Lots of those keys out there already. So is something like
> ssh-vulnkey the right approach? I do have a couple of users on one of my
> boxes. Mind, they're all good OpenBSD people and I really hope their
> keys didn't come from a debian box. It'll be nice to find out that the
> keys are ok.
You can use the perl script in the debian announcement to check host
keys and user keys.
-Otto
