Why no ssh-vulnkey for non-ubuntu systems?

I mean, it’s not like the problem is only on ubuntu/debian machines. I’d like to be able to check if the keys installed on my (non-debian and non-ubuntu… some even non-linux) servers are vulnerable.

What’s really nasty of this debian ssh mess is that the vulnerability was born on the debian clients, and spreads making all the (non necessarily debian) servers where they are installed to.

So, do I have to dl ubuntu’s openssh .debs and extract ssh-vunlkey from there? That’s not really nice 🙂


Apparently there’s some huge perl script here


that should do the job… checking…


2 comments on “Why no ssh-vulnkey for non-ubuntu systems?

  1. Kyle says:

    The issue was specific to Debian, as it was a debian fork of the openssh package which was originally compromised.

  2. renatoram says:

    Actually, no: if you still have not checked the keys on your server, do so as soon as possible.

    The problem *originated* on Debian machines, but the key couples created on machines using that broken ssh package were inherently vulnerable: if there is the possibility that users (from debian machines) placed their (personal) keys on YOUR machine, then your machine is vulnerable, too. Sure, only that user will be compromised, but a breach is a breach.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s