On Thu, 2008-05-15 at 16:34 +0100, Andrew Haley wrote: > Mark Wielaard wrote: > > Hi all (CCing main classpath mailinglist to get to widest exposure), > > > > On Tue, 2008-05-13 at 19:41 +0200, Mark Wielaard wrote: > >> Unfortunately icedtea.classpath.org was using weak ssh server keys > >> because of the recently discovered Debian openssl flaw: > >> http://lists.debian.org/debian-security-announce/2008/msg00152.html > > That'll teach you to use Debian. ;-) Yeah well... Note again that this would have impacted us also when running any other infrastructure that relied on ssl keys. In fact I had to also audit my CentOS based servers. Remember that the problem is the usage of weak/known-keys on either side of any ssl/ssh connection. So if you ever authenticated against or had users authenticate against any server/account that used such weak/known-keys you should replace any ssh keys you have used (as well as any authentication tokens, like passwords, that might have gone over such connections). Because you will have to assume that any such connection might have been compromised. In fact using Debian now makes us a bit safer since they already have openssh server packages released that will refuse any future connection based on any weak/known-blacklisted key. Other distros might still be vulnerable to anyone using the weak keys because their ssh servers still accept them. Cheers, Mark
