ssh-keygen still gives vulnerable keys

I found that one of our clients servers had not been updated in almost a
year, so I updated it. This included the recent fixes to the ssh
problem. The reason for the service call was that it was not backing up
to its backup server, which happens as an rsync over ssh cron job.
Performing the update (including the openssh server and client) did not
fix the problem and, ssh-vulnkey still reported the host keys and the
key used for backup as vulnerable.

I regenerated the backup users key and ssh-vulnkey still reported it as
vulnerable and it would not connect to the backup server. I then removed
the .ssh directory and all entries on the backup server, and regenerated
again, with the same results. I generated a new dsa key, attempted to
log into another remote server, and this failed also.

I then performed a kernel update (one was out there) and rebooted.
Unfortunately, somewhere in the process I locked myself out of remote
access (ssh refuses my connection now), so I can not troubleshoot more
until the client is back in their office tomorrow.

Any ideas on why ssh-keygen would continue to create vulnerable keys
after the update?

Rod


--
To UNSUBSCRIBE, email to debian-security-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

This one time, at band camp, R. W. Rodolico said:
> Any ideas on why ssh-keygen would continue to create vulnerable keys
> after the update?

Because you upgraded openssl but not libssl?  Almost every time someone
has reported this, that's been the cause.
--
 -----------------------------------------------------------------
|   ,''`.                                            Stephen Gran |
|  : :' :                                        sgran@... |
|  `. `'                        Debian user, admin, and developer |
|    `-                                     http://www.debian.org |
 -----------------------------------------------------------------

"R. W. Rodolico" <techinfo@...> writes:

> Performing the update (including the openssh server and client) did not
> fix the problem and, ssh-vulnkey still reported the host keys and the
> key used for backup as vulnerable.

I had this problem with a completely up-to-date Ubuntu gutsy install on
a MacBook Pro.  Every time I ran ssh-keygen, the keys were reported as
vulnerable.  On two other up-to-date gutsy machine, I didn't have this
problem.

I can't reproduce this now, as I have since upgraded the machine to
hardy, which doesn't show the problem.

Dan


--
To UNSUBSCRIBE, email to debian-security-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

On Wed, Jun 4, 2008 at 10:58 AM, Dan Christensen <jdc@...> wrote:
> I had this problem with a completely up-to-date Ubuntu gutsy install on
> a MacBook Pro.  Every time I ran ssh-keygen, the keys were reported as
> vulnerable.  On two other up-to-date gutsy machine, I didn't have this
> problem.
>
> I can't reproduce this now, as I have since upgraded the machine to
> hardy, which doesn't show the problem.
Ubuntu != Debian :)

--
Harrison Conlin


--
To UNSUBSCRIBE, email to debian-security-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

Harrison Conlin <me@...>:
>  On Wed, Jun 4, 2008 at 10:58 AM, Dan Christensen <jdc@...> wrote:
> > I had this problem with a completely up-to-date Ubuntu gutsy install on
> >
> > I can't reproduce this now, as I have since upgraded the machine to
> > hardy, which doesn't show the problem.
>
>  Ubuntu != Debian :)

Did SuSE, Redhat, or *BSD suffer from this glitch?  Ubuntu, along with
the rest of Debian, did.  It's a Debian downstream, so quite a lot
applies to both.  Not everything, but a lot.

Take a look into alt.os.linux.slackware to see how those with that
attitude treat Zenwalk users.

I don't use *buntu myself, but I've no problem with *buntu users
seeking Debian answers here.


--
Any technology distinguishable from magic is insufficiently advanced.
(*)    http://blinkynet.net/comp/uip5.html      Linux Counter #80292
- -    http://www.faqs.org/rfcs/rfc1855.html    Please, don't Cc: me.


--
To UNSUBSCRIBE, email to debian-security-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

I use both debian and ubuntu, but the ubuntu lists are quite good as  
well, so ubuntu users should stick to that for ubuntu question IMHO.

P.S. thanks to all the people who found the vulnerability and made the  
fix. It was much more painless than i thought.

D.

On Jun 5, 2008, at 01:51, s. keeling wrote:


--
To UNSUBSCRIBE, email to debian-security-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

"s. keeling" <keeling@...> writes:

> I don't use *buntu myself, but I've no problem with *buntu users
> seeking Debian answers here.

Just to clarify:  the original poster was a *Debian* user.  I simply
was reporting that the same thing happened on Ubuntu, so this was not
restricted to a single user and deserves to be investigated further.

(And I admin Debian machines too, which is why I follow this list.)

Dan


--
To UNSUBSCRIBE, email to debian-security-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...