*** This bug is a security vulnerability ***
Private security bug reported:
While specifying an IP address to ssh-keyscan works properly, piping its
output to ssh-vulnkey does not:
$ ssh-keyscan -t rsa vmfeisty386 | ssh-vulnkey -
# vmfeisty386 SSH-2.0-OpenSSH_4.3p2 Debian-8ubuntu1.2
COMPROMISED: 2048 e0:94:56:44:bd:a2:2d:ce:0b:69:0a:b3:af:63:f3:f9 -
$ ssh-keyscan -t rsa 192.168.122.244 | ssh-vulnkey -
# 192.168.122.244 SSH-2.0-OpenSSH_4.3p2 Debian-8ubuntu1.2
$ host vmfeisty386
vmfeisty386.XXX has address 192.168.122.244
$ host 192.168.122.244
244.122.168.192.in-addr.arpa domain name pointer vmfeisty386.XXX
** Affects: openssh (Ubuntu)
Importance: Medium
Status: New
** Changed in: openssh (Ubuntu)
Importance: Undecided => Medium
--
ssh-vulnkey doesn't scan keys when specifying IP address with ssh-keyscan
https://bugs.launchpad.net/bugs/230497
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openssh in ubuntu.
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
