Comments on: SSH RSA host key changed http://blog.nearlyfreespeech.net/2008/05/17/ssh-rsa-host-key-changed/ A blog from the staff at NearlyFreeSpeech.NET. Tue, 06 Jan 2009 22:14:37 +0000 By: GreenReaper http://blog.nearlyfreespeech.net/2008/05/17/ssh-rsa-host-key-changed/#comment-8198 GreenReaper Fri, 13 Jun 2008 09:15:47 +0000 http://blog.nearlyfreespeech.net/?p=46#comment-8198 The relevant member FAQ entry (q=SSH) needs to be updated, as it does not contain the rs2 key. <b>The relevant FAQ entry is actually <a href="https://members.nearlyfreespeech.net/support/faq?q=NFSNsshKeys#NFSNsshKeys" rel="nofollow">this one</a>; we've changed the one you're referring to to point to it. -jdw</b> The relevant member FAQ entry (q=SSH) needs to be updated, as it does not contain the rs2 key.

The relevant FAQ entry is actually this one; we’ve changed the one you’re referring to to point to it. -jdw

]]> By: Nesman http://blog.nearlyfreespeech.net/2008/05/17/ssh-rsa-host-key-changed/#comment-7741 Nesman Sun, 25 May 2008 03:45:17 +0000 http://blog.nearlyfreespeech.net/?p=46#comment-7741 Thank you. The capital letters didn't alarm me too much, since I see them all the time on my home network when I reload a machine. It's good to see this info posted. I know some other hosts that would make the change without any kind of announcement. (Sometimes not even telling the support staff about the change, making for some very confused customers) Thank you. The capital letters didn’t alarm me too much, since I see them all the time on my home network when I reload a machine.

It’s good to see this info posted. I know some other hosts that would make the change without any kind of announcement. (Sometimes not even telling the support staff about the change, making for some very confused customers)

]]> By: Bumpy Light http://blog.nearlyfreespeech.net/2008/05/17/ssh-rsa-host-key-changed/#comment-7637 Bumpy Light Thu, 22 May 2008 19:04:58 +0000 http://blog.nearlyfreespeech.net/?p=46#comment-7637 A timely warning, since I just now got the ALL CAPITALS WARNING and headed over here to see "What's up, Doc?" :) As usual, well-done with keeping on top of security. A timely warning, since I just now got the ALL CAPITALS WARNING and headed over here to see “What’s up, Doc?” :)

As usual, well-done with keeping on top of security.

]]> By: Charlie Melbye http://blog.nearlyfreespeech.net/2008/05/17/ssh-rsa-host-key-changed/#comment-7537 Charlie Melbye Tue, 20 May 2008 00:04:51 +0000 http://blog.nearlyfreespeech.net/?p=46#comment-7537 Nice work! I haven't gotten an email about a weak key, so I'm assuming that I should be safe :P <b>That's not necessarily a safe assumption. If you were running affected Debian versions, you should update and regenerate and replace your keys. I believe the key blacklist is known to produce both false positives and false negatives, so should not be the sole measure of safety. -jdw</b> Nice work! I haven’t gotten an email about a weak key, so I’m assuming that I should be safe :P

That’s not necessarily a safe assumption. If you were running affected Debian versions, you should update and regenerate and replace your keys. I believe the key blacklist is known to produce both false positives and false negatives, so should not be the sole measure of safety. -jdw

]]> By: Brad http://blog.nearlyfreespeech.net/2008/05/17/ssh-rsa-host-key-changed/#comment-7502 Brad Mon, 19 May 2008 01:43:39 +0000 http://blog.nearlyfreespeech.net/?p=46#comment-7502 You guys run a tight ship. :D You guys run a tight ship. :D

]]> By: Ken Dreyer http://blog.nearlyfreespeech.net/2008/05/17/ssh-rsa-host-key-changed/#comment-7471 Ken Dreyer Sun, 18 May 2008 06:06:39 +0000 http://blog.nearlyfreespeech.net/?p=46#comment-7471 I understand that it's important to move quickly when fixing holes, but since this was a policy change and not a reaction to an actual security breach, what do you think about announcing these sort of things a few days before implementing the changes? <b>We're a fast-moving company. We try to give appropriate advance notice depending on the significance of a change without turning even the most minor update into a bureaucratic nightmare. With a trivial (in its effect) change of this nature, we felt that the time most people would want information about it would be at the time they encountered the change. -jdw</b> I understand that it’s important to move quickly when fixing holes, but since this was a policy change and not a reaction to an actual security breach, what do you think about announcing these sort of things a few days before implementing the changes?

We’re a fast-moving company. We try to give appropriate advance notice depending on the significance of a change without turning even the most minor update into a bureaucratic nightmare. With a trivial (in its effect) change of this nature, we felt that the time most people would want information about it would be at the time they encountered the change. -jdw

]]> By: Alan Linton http://blog.nearlyfreespeech.net/2008/05/17/ssh-rsa-host-key-changed/#comment-7454 Alan Linton Sat, 17 May 2008 21:15:27 +0000 http://blog.nearlyfreespeech.net/?p=46#comment-7454 I was working away and was, not alarmed, but surprised to find the ssh key had changed. It is good to know it's not someone actually trying to do something nasty as my ssh client claimed might be happening. I was working away and was, not alarmed, but surprised to find the ssh key had changed. It is good to know it’s not someone actually trying to do something nasty as my ssh client claimed might be happening.

]]>