[UCI-Linux] More on Debian/Ubuntu ssh issue

Mike Iglesias iglesias at uci.edu
Thu May 15 16:39:31 PDT 2008


As I noted the other day, there is an issue with the way ssh keys are 
generated on Debian, Ubuntu, and any Linux system based on Debian over the 
last couple of years that makes them easy to guess.

If you are using the "publickey" method of logging in via ssh, and your key 
was generated on a Debian-base system (or the host key was), you are 
vulnerable to having your account broken in to.  This is especially bad if you 
are using this to access root.

There are tables and programs out now to brute-force ssh keys, so if you have 
not regenerated your ssh keys and your system has ssh open in Server 
Registration, your system is vulnerable to being compromised.


-- 
Mike Iglesias                          Email:       iglesias at uci.edu
University of California, Irvine       phone:       949-824-6926
Network & Academic Computing Services  FAX:         949-824-2270



More information about the UCI-Linux mailing list