[Tfug] Debian SSH vulnerability
Jude Nelson
judecn at gmail.com
Tue May 13 18:47:08 MST 2008
I think the vulnerability only applies to servers, not clients. At
least, that's what the article looked like.
On 5/13/08, Matt Jacob <m at mattjacob.com> wrote:
> Right. What Andy and Claude said is absolutely correct.
>
> This is the equivalent (for me) of managing a 100-unit apartment complex
> and having to replace the lock in each unit as well as having to issue
> new keys to all the tenants. Only, instead of 1-2 tenants per unit,
> there might be 1-20 tenants per unit.
>
> The only thing keeping me sane besides the pot of coffee I just downed
> is the fact that there's some overlap among the new keys. That is, each
> of us developers needs a new private key, and the new public key needs
> to be added to authorized_keys on every box (for the most part).
> Thankfully, the mapping is one key per developer and not one key per
> login, if you follow.
>
> M
>
> Claude Rubinson wrote:
> > On Tue, May 13, 2008 at 05:22:35PM -0700, William Stott wrote:
> >> No central patch management system for Debian?
> >
> > The problem is that user-generated keys may be weak. No way to
> > provide a central fix for that.
> >
> > This is one of the most serious security problems that Debian's had in
> > its history and affects SSL, SSH, VPN, DNSSEC, etc. Basically,
> > anything that makes use of OpenSSL.
> >
> > Claude
> >
> > _______________________________________________
> > Tucson Free Unix Group - tfug at tfug.org
> > Subscription Options:
> > http://www.tfug.org/mailman/listinfo/tfug_tfug.org
>
> _______________________________________________
> Tucson Free Unix Group - tfug at tfug.org
> Subscription Options:
> http://www.tfug.org/mailman/listinfo/tfug_tfug.org
>
More information about the tfug
mailing list