Why no ssh-vulnkey for non-ubuntu systems?

I mean, it’s not like the problem is only on ubuntu/debian machines. I’d like to be able to check if the keys installed on my (non-debian and non-ubuntu… some even non-linux) servers are vulnerable.

What’s really nasty of this debian ssh mess is that the vulnerability was born on the debian clients, and spreads making all the (non necessarily debian) servers where they are installed to.

So, do I have to dl ubuntu’s openssh .debs and extract ssh-vunlkey from there? That’s not really nice 🙂

–UPDATE–

Apparently there’s some huge perl script here

http://ubuntu-tutorials.com/category/security/

that should do the job… checking…

Author: renatoram

sysadmin, rpg player, gunpla modeler, avid reader... yeah, your average geek :)

2 thoughts on “Why no ssh-vulnkey for non-ubuntu systems?”

  1. The issue was specific to Debian, as it was a debian fork of the openssh package which was originally compromised.

  2. Actually, no: if you still have not checked the keys on your server, do so as soon as possible.

    The problem *originated* on Debian machines, but the key couples created on machines using that broken ssh package were inherently vulnerable: if there is the possibility that users (from debian machines) placed their (personal) keys on YOUR machine, then your machine is vulnerable, too. Sure, only that user will be compromised, but a breach is a breach.

Comments are closed.