Package: openssh-client Version: 1:4.3p2-9etch2 Severity: grave Tags: security Justification: user security hole
ssh-keygen generates COMPROMISED keys after recent upgrade of etch Example: $ ssh -V OpenSSH_4.3p2 Debian-9etch2, OpenSSL 0.9.8e 23 Feb 2007 $ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/urban/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/urban/.ssh/id_rsa. Your public key has been saved in /home/urban/.ssh/id_rsa.pub. The key fingerprint is: cf:f1:d8:16:c2:2c:bf:db:de:f0:24:75:95:33:92:e0 [EMAIL PROTECTED] $ ssh-vulnkey .... COMPROMISED: 2048 cf:f1:d8:16:c2:2c:bf:db:de:f0:24:75:95:33:92:e0 /home/urban/.ssh/id_rsa.pub The following OLDER version of ssh seems NOT to exhibit this problem: $ ssh -V OpenSSH_4.3p2 Debian-9etch1, OpenSSL 0.9.8c 05 Sep 2006 ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/urban/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/urban/.ssh/id_rsa. Your public key has been saved in /home/urban/.ssh/id_rsa.pub. The key fingerprint is: 26:3c:5d:20:96:b6:48:4b:20:80:87:2f:bb:b7:08:51 [EMAIL PROTECTED] [EMAIL PROTECTED]:~/.ssh$ ssh-vulnkey .... Not blacklisted: 2048 26:3c:5d:20:96:b6:48:4b:20:80:87:2f:bb:b7:08:51 /home/urban/.ssh/id_rsa.pub .... -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18-6-686 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages openssh-client depends on: ii add 3.102 Add and remove users and groups ii deb 1.5.13 Debian configuration management sy ii dpk 1.13.25 package maintenance system for Deb ii lib 2.3.6.ds1-13etch5 GNU C Library: Shared libraries ii lib 1.39+1.40-WIP-2006.11.14+dfsg-2etch1 common error description library ii lib 2.9.cvs.20050518-3 BSD editline and history libraries ii lib 1.4.4-7etch5 MIT Kerberos runtime libraries ii lib 5.5-5 Shared libraries for terminal hand ii lib 0.9.8e-4 SSL shared libraries ii pas 1:4.0.18.1-7 change and administer password and ii zli 1:1.2.3-13 compression library - runtime openssh-client recommends no packages. -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]