As many of you may know already, there has been a security alert posted for openssl (posted by Debian at http://lists.debian.org/debian-security-announce/2008/msg00152.html) that affects ssh keys:

“It is strongly recommended that all cryptographic key material which has been generated by OpenSSL versions starting with 0.9.8c-1 on Debian systems is recreated from scratch. Furthermore, all DSA keys ever used on affected Debian systems for signing or authentication purposes should be considered compromised; the Digital Signature Algorithm relies on a secret random value used during signature generation.” (From the Debian Alert)

This has been reported on “The Fridge” for Ubuntu (http://fridge.ubuntu.com/node/1445), with further information on how to correct the problem listed at http://www.ubuntu.com/usn/usn-612-2.

Anyone using ssh, either as server or client (or both) should take note of this information and immediately see to the creation and dissemination of new ssh keys. Launchpad has already sent out notices which say, in part:

“You need to take action to continue using Launchpad features such as code hosting. We have deleted your SSH key from Launchpad because we have discovered a potential security vulnerability in the way your key was generated.”

The means of correcting the problem, though a bit involved and tedius, are actually quite straight-forward and easy to accomplish.  Due to it’s importance, you will likely see information posted in many places by many people.  One thing that is not mentioned in any of them is that you are not considered to be at fault for the problem.  This occurred as the result of a programming error, not as the result of YOU making a weak key.  However, it does mean that everyone with an ssh key needs to take corrective action at once.  Failure to create new ssh keys could restrict your ability to access activities as you previously could.

Thank you for your prompt attention.