[Secure-testing-team] Bug#481853: [openssh-client] "ssh-vulnkey -a" does not see the weak keys of the user

Dominic Hargreaves dom at earth.li
Mon May 19 08:58:20 UTC 2008


On Mon, May 19, 2008 at 01:03:45AM +0100, David wrote:

> I have the packages openssh-blacklist and openssh-blacklist-extra installed.
> 
> 
> If I run "ssh-vulnkey -a" I get no output, either by running it as user or
> as root.
> 
> Nevertheless:
> 
> # perl dowkd.pl user
> /home/username/.ssh/known_hosts:1: weak key (OpenSSH/rsa/2048)
> /home/username/.ssh/known_hosts:2: weak key (OpenSSH/rsa/2048)
> summary: keys found: 2, weak keys: 2
> 
> I am deleting the file /home/username/.ssh/known_hosts right now, so I am
> afraid it will not be available for debugging :-(

Deleting a known_hosts file containing weak keys will not gain you any
security (rather, it'll lose you security unless you rigourously check
all the fingerprints of the host keys that used to be stored there).
You (or the system administrator of the remote machine in question)
need to regenerate the host keys on the remote machine.

I wouldn't expect ssh-vulnkey to tell me about such keys.

Dominic.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)



More information about the Secure-testing-team mailing list