[Uaflug] Debian SSH Advisory...

[Jeff Spaleta]

On Tue, May 13, 2008 at 3:09 PM, Jeff Spaleta <jspaleta at gmail.com> wrote:
> So far this is known to involve only Debian derivatives...most likely
> all of them... that's a lot of distributions.. not just Ubuntu.  But
> the patch could have easily been picked up and applied outside of
> Debian so if you are using Gentoo you should probably reach out and
> confirm that the patch wasn't lifted from Debian and applied.

Okay I think there's still another shoe to drop.  I think there is a
growing understanding that the problem is potentially a very wide
impact across distributions.  SSH keys generated on an affected
debian-based system but deployed on other systems may make the
accounts on those systems vulnerable. Its the act of key generation
that's the problem on Deb-ish systems.

So if you generated ssh keys on an affected Ubuntu system and then use
the key on any other system, you need to regenerate the key and stop
using the older ssh keys everywhere.

Did I mention that keys generated on Fedora systems aren't
problematic...but if you use the same ssh key pair on multiple linux
distros can you be sure you didn't generate your keys on a
Debian/Ubuntu system?

-jef