On Tue, 2008-05-13 at 20:20 +0200, Rody wrote: > In response to the latest security issue with ssl / ssh, i updated my > packages > with the new fixed versions of ssl. However the steps to regenerate the keys > are not available on: > www.debian.org/security/key-rollover/ > as the security advisory tells us. > According to google, the page did exist 4 hours ago, but right now it's a > dead > link. > I could do one of two things without the rollover text: > > 1) remove all packages with ssl and ssh in the name, and reinstall them after > that. The nessesary keys should be created that way. This is probably neither necessary nor sufficient. It's not sufficient because other programs (e.g., mail servers, database servers) may use certificates generated with ssl. Also, unless you purge the package it may leave some old keys. > 2) figure out for myself what combination of dpkg --configure commands i > should use to recreate all the keys on my systems. > So far I have 1) regenerated keys in ~/.ssh, including tossing my old authorized keys from other systems. I put the new key on a diskette to take to my other systems, since I assume transmitting via scp is not a good idea til they are updated.
2) cd /etc/ssh; invoke-rc.d ssh stop; rm *host*; dpkg-reconfigure --default-priority openssh-server I believe that if dpkg-reconfigure finds existing files it will leave them alone, so you need to delete or move them. I actually moved rather than rm'd the old files. I can't see a I really understand the role of the keys in /etc/ssh vs those in ~/.ssh, beyond the fact that the former establish host identity. As my previous message indicated, I'm not sure if such extreme measures are necessary for rsa keys. And I have several other server applications that probably need new certificates. With luck others who know more will comment, and the page of instructions will reappear and grow. Ross -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
