I mean, it’s not like the problem is only on ubuntu/debian machines. I’d like to be able to check if the keys installed on my (non-debian and non-ubuntu… some even non-linux) servers are vulnerable.
What’s really nasty of this debian ssh mess is that the vulnerability was born on the debian clients, and spreads making all the (non necessarily debian) servers where they are installed to.
So, do I have to dl ubuntu’s openssh .debs and extract ssh-vunlkey from there? That’s not really nice 🙂
–UPDATE–
Apparently there’s some huge perl script here
http://ubuntu-tutorials.com/category/security/
that should do the job… checking…
The issue was specific to Debian, as it was a debian fork of the openssh package which was originally compromised.
Actually, no: if you still have not checked the keys on your server, do so as soon as possible.
The problem *originated* on Debian machines, but the key couples created on machines using that broken ssh package were inherently vulnerable: if there is the possibility that users (from debian machines) placed their (personal) keys on YOUR machine, then your machine is vulnerable, too. Sure, only that user will be compromised, but a breach is a breach.