ssh blacklisting of private keys 9.04_64
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openssh (Ubuntu) |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
Similar to: 328127, 328445 348126
Three servers were installed using the same script to configure them after installing 9.04_64. In all ways they function identically except one of them is blacklisting some keys of some systems administrators. We all have had our keys for quite some time and these three systems are among hundreds of RHEL and Solaris servers where all the keys are working just fine.
The three servers are all HP ProLiant DL360 G5.
# dpkg -S /usr/sbin/sshd
openssh-server: /usr/sbin/sshd
# lsb_release -rd
Description: Ubuntu 9.04
Release: 9.04
# apt-cache policy openssh-server
openssh-server:
Installed: 1:5.1p1-5ubuntu1
Candidate: 1:5.1p1-5ubuntu1
Version table:
*** 1:5.1p1-5ubuntu1 0
500 http://
100 /var/lib/
ssh-vulnkey -a lists the failing keys as blacklisted. Debugging confirms the keys are examined and not used.
Generating a new key on a Dell Optiplex GX620 results running 9.04 results NOT blacklisting, but login fails with a failure to sign key message and password option is not made available. Adding the old key back to authorized keys results in immediate blacklisting again.
Keys from non-Ubuntu systems have no problems. Only keys from Ubuntu (several recent versions) have been blacklisted.
There is no seahorse involved.
If your keys are being blacklisted, then, well ... they may appear to be working just fine, but everyone else on the planet can get the corresponding private keys with only a little bit of effort! You really do need to regenerate those keys. Any release of Ubuntu that's still within its support lifetime and that has all security updates applied will be fine. I'm afraid that I regard the security risk here as several orders of magnitude more serious than the inconvenience of needing to regenerate keys.
Whatever that signing failure is, it's unrelated to the blacklisting; it could easily be a configuration error due to confusion among multiple keys, or something. If you'd like to file that separately, with as much debugging information as possible, we can look into that.
See:
http:// www.ubuntu. com/usn/ usn-612- 2