*** This bug is a security vulnerability ***
Public security bug reported:
Not all keys can be checked with ssh-vulnkey, and users forget that they need
to take care of servers used by them that did accept the weak keys.
I think we should at least warn about that.
Details:
1) ssh-vulnkey can not check DSA keys that are in non standard locations, or
that are on removable media like usb keys.
At least inform user about that and instruct to run ssh-vulnkey by hand.
More sure solution: modify ssh to always check the key that is about to be
used.
But more work (and double check! i.e. do not store the key being check in /tmp
or something!)
2) someone should probably warn users that just installing the fix, and
regenerating the key
is not enough to be 100% safe from this bug consequences, that is:
a) servers that where set to accept the weak key may have been already
compromised. To be really sure,
admin should reinstall them.
b) the same for your own box, if you log into own box using public key
c) remember to remove wrong keys from .authorized_keys or update server
software to do that (or warn server admin)
I'm not security specialist, so I first consulted the above with advanced
users, admins, developers.
I also noted how most "regular users" thought that just installing upgrade is
enought and they can forget about the issue.
I dont want to read on slashdot next month how thousands small serves where
compromised because users didnt realize that
they told servers to accept their weak keys and server where not maintained
well, so please - lets warn the users.
** Affects: openssh (Ubuntu)
Importance: Undecided
Status: New
** Visibility changed to: Public
--
ssh-vulnkey doesnt check all keys. Also, it would be nice to extend the warning
message.
https://bugs.launchpad.net/bugs/230632
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
