[Sussex] SECURITY: SSH Keys Vulnerability On Debian and Debian-derived Distributions.

Colin Tuckley colin at tuckley.org
Wed May 14 16:15:45 UTC 2008


Steve Dobson wrote:

> I took that to mean that it was the only keys generated on a Debian
> system are vulnerable, not those generated on other OSs.  A RedHat
> system would only be vulnerable if a Debian generated key was installed.
> Did I get that wrong?

The problem is that if the key was used for a SSH connection on a suspect
Debian system then the session key might have been compromised, which could
allow an attacker to compromise the actual ssh key. It's best to regenerate
all keys just to be sure.

Note that pgp/Gnupg keys are not affected.

Colin

-- 
Colin Tuckley      |  +44(0)1903 236872  |  PGP/GnuPG Key Id
Debian Developer   |  +44(0)7799 143369  |     0x1B3045CE

Common Sense is the collection of prejudices acquired by age eighteen. - A.
Einstein




More information about the Sussex mailing list