The Debian SSH key fiasco from earlier this year is starting to bear bad fruit. The original issue ( listed earlier in this blog ) is that the Debian project took out some code from the SSH source as part of a code cleansing exercise – this code unfortunately was responsible for inserting randomness into the generated keys. Now there are only 65k keys being generated and that is a fairly small amount to break. Someone could essentially spend a day generating all these keys and then trying them against random servers. In fact someone has, as CERT has indicated activity relating to these compromised keys. And this is being used in conjunction with a local kernel exploit to gain root access. And that is being used in conjunction with dropping a root kit onto the box ( phalanx2 in this case ).
Not one to choose sides in the Linux distro war, I’ve not been a fan of Debian and related distros ( including Ubuntu ). A number of issues have occurred over the years which has reduced my confidence in these distros and I think others should be listening when I say: stay away unless you’re sure.
