[Tfug] Debian SSH vulnerability
Matt Jacob
m at mattjacob.com
Tue May 13 18:06:11 MST 2008
Right. What Andy and Claude said is absolutely correct.
This is the equivalent (for me) of managing a 100-unit apartment complex
and having to replace the lock in each unit as well as having to issue
new keys to all the tenants. Only, instead of 1-2 tenants per unit,
there might be 1-20 tenants per unit.
The only thing keeping me sane besides the pot of coffee I just downed
is the fact that there's some overlap among the new keys. That is, each
of us developers needs a new private key, and the new public key needs
to be added to authorized_keys on every box (for the most part).
Thankfully, the mapping is one key per developer and not one key per
login, if you follow.
M
Claude Rubinson wrote:
> On Tue, May 13, 2008 at 05:22:35PM -0700, William Stott wrote:
>> No central patch management system for Debian?
>
> The problem is that user-generated keys may be weak. No way to
> provide a central fix for that.
>
> This is one of the most serious security problems that Debian's had in
> its history and affects SSL, SSH, VPN, DNSSEC, etc. Basically,
> anything that makes use of OpenSSL.
>
> Claude
>
> _______________________________________________
> Tucson Free Unix Group - tfug at tfug.org
> Subscription Options:
> http://www.tfug.org/mailman/listinfo/tfug_tfug.org
More information about the tfug
mailing list