On Thu, May 15, 2008 at 05:44:32PM +0800, Tim Post wrote: > On Thu, 2008-05-15 at 10:02 +0100, Dave Ewart wrote: > > > Debian (and thus also Ubuntu) have released updated openssh packages > > which include a new tool called ssh-vulnkey which can be used to check > > the running system[1] for vulnerable keys: ssh-vulnkey works similarly > > to the Perl script in the Debian announcement. > > That is not 100% effective (afiak). Its still advised that you toss any > key that you are not 100% certain came from a non-effected system for > every user. > > They can always go back in once your sure that they are safe.
Can you explain why that's not effective? Do you know ssh-vulnkey (or the Perl script) does not reliably detect bad keys? -- Darrin Chandler | Phoenix BSD User Group | MetaBUG [EMAIL PROTECTED] | http://phxbug.org/ | http://metabug.org/ http://www.stilyagin.com/ | Daemons in the Desert | Global BUG Federation