Debian OpenSSL vulnerability

In May 2008 a bug was discovered in the Debian OpenSSL package which affected the seeding of the random number generator. Any SSH keys generated by affected systems should be considered “insecure”. That doesn’t mean an attacker could immediately guess your private key but because there was significantly less entropy during key generation, the key space was significantly reduced making a brute-force attack feasible.


A new tool has been added to OpenSSH after this event: ssh-vulnkey. This tool check if a key belong to the reduced “key pool”. If result is positive you must immediately regenerate a new key on an up-to-date server. Note also that security updates for all distribution has been released to blacklist the vulnerable keys.

Further Reading and sources