On 5/14/08, Darrin Chandler <[EMAIL PROTECTED]> wrote: > Sure. Lots of those keys out there already. So is something like > ssh-vulnkey the right approach? I do have a couple of users on one of my > boxes. Mind, they're all good OpenBSD people and I really hope their > keys didn't come from a debian box. It'll be nice to find out that the > keys are ok.
Probably the best that can be done. This is a lot worse than a weak prng making numbers such that you can predict the next one given a previous one. Personally, I haven't given much thought to the problem as I don't have users. But I think a safe, complete response goes a lot farther than just replacing a few bad keys.