Ticket #540 (closed task: fixed)

Opened 8 years ago

Last modified 8 years ago

Check all FAS accounts for weak SSH keys

Reported by: berrange Owned by: nobody
Priority: major Milestone:
Component: General Version:
Severity: High Keywords:
Cc: Blocked By:
Blocking: Sensitive:


As per this announcement


any crypto keys (SSH, OpenVPN, DNSSEC, x509 certs etc) generated on a Debian host with OpenSSL in the past ~2 years have weak cryptographic material.

It is likely at least some Fedora accounts have such weak SSH keys registered. That Debian announcement provides a Perl script which can scan for weak keys. To minimise the risk to Fedora infrastructure, this check should be run across all existing registered Fedora accounts with SSH keys, and used to verify all future SSH keys uploaded in FAS.

Change History

comment:1 Changed 8 years ago by ricky

  • Status changed from new to closed
  • Resolution set to fixed

We ended up checking all of our keys against pregenerated vulnerable keys and the Perl script. Furthermore, we have disabled the adding of new DSA keys in FAS.

Note: See TracTickets for help on using tickets.