#540 Check all FAS accounts for weak SSH keys

Created 9 years ago by berrange
Modified 9 years ago

As per this announcement


any crypto keys (SSH, OpenVPN, DNSSEC, x509 certs etc) generated on a Debian host with OpenSSL in the past ~2 years have weak cryptographic material.

It is likely at least some Fedora accounts have such weak SSH keys registered. That Debian announcement provides a Perl script which can scan for weak keys. To minimise the risk to Fedora infrastructure, this check should be run across all existing registered Fedora accounts with SSH keys, and used to verify all future SSH keys uploaded in FAS.

We ended up checking all of our keys against pregenerated vulnerable keys and the Perl script. Furthermore, we have disabled the adding of new DSA keys in FAS.

Login to comment on this ticket.