SSH RSA host key changed
After a review of our security practices brought on by the recent Debian ssh key security issue (which does not affect our FreeBSD-based service), we’ve decided to upgrade the strength of our RSA ssh host key from 1024 bits to the same length that we recommend you use, 4096 bits.
The correct/current RSA host key:
fc:89:a1:64:74:70:a4:82:58:c1:73:4e:72:59:63:56
This naturally changes the host key fingerprint, and is likely to cause warnings for people who have previously connected. This doesn’t indicate a security problem, but you should compare the new key against its fingerprint.
You can verify this on our secure site in the member FAQ.
We have not changed the DSA key, as limitations in the DSA algorithm render longer keys pointless. We discourage but will continue to allow the use of DSA keys.
We apologize to anyone alarmed by the ALL CAPITAL LETTERS!! warnings that ssh applications tend to produce when a host key changes. The new key length should guarantee that we don’t have to change it again for a good long time.
In other key-related news, we scanned all member ssh keys for the Debian weak keys and notified everyone who appeared to be affected. Since there are exploits in the wild, we will shortly be removing any remaining weak keys, and we will not accept any new weak keys for access to member sites.
7 Comments
RSS feed for comments on this post.
Sorry, the comment form is closed at this time.
Categories:
- Beta
(9)
- Humor (3)
- Miscellaneous (3)
- Network Status (23)
- News & Announcements (73)
- Policy Changes (11)
- Politics & Legal (8)
- Tips & Tricks (6)
- Updates & Upgrades (59)
Archives:
- December 2023 (1)
- August 2023 (1)
- July 2023 (1)
- January 2022 (1)
- January 2021 (1)
- December 2019 (1)
- February 2018 (1)
- September 2017 (1)
- February 2016 (1)
- June 2015 (1)
- May 2015 (1)
- March 2015 (1)
- December 2014 (1)
- November 2014 (1)
- September 2014 (1)
- August 2014 (2)
- July 2014 (1)
- April 2014 (1)
- February 2014 (1)
- December 2013 (1)
- September 2013 (2)
- December 2012 (1)
- October 2012 (1)
- July 2012 (1)
- January 2012 (2)
- December 2011 (1)
- November 2011 (1)
- August 2011 (1)
- April 2011 (1)
- March 2011 (1)
- February 2011 (1)
- November 2010 (2)
- July 2010 (1)
- June 2010 (1)
- April 2010 (1)
- March 2010 (2)
- November 2009 (2)
- August 2009 (1)
- July 2009 (1)
- June 2009 (3)
- March 2009 (1)
- February 2009 (1)
- November 2008 (2)
- October 2008 (1)
- September 2008 (3)
- May 2008 (3)
- April 2008 (5)
- February 2008 (2)
- December 2007 (1)
- September 2007 (4)
- July 2007 (1)
- June 2007 (2)
- April 2007 (2)
- March 2007 (2)
- February 2007 (2)
- January 2007 (4)
- December 2006 (1)
- November 2006 (7)
Entries and comments feeds.
Valid XHTML and CSS.
Powered by WordPress. Hosted by NearlyFreeSpeech.NET.
I was working away and was, not alarmed, but surprised to find the ssh key had changed. It is good to know it’s not someone actually trying to do something nasty as my ssh client claimed might be happening.
Comment by Alan Linton — May 17, 2008 #
I understand that it’s important to move quickly when fixing holes, but since this was a policy change and not a reaction to an actual security breach, what do you think about announcing these sort of things a few days before implementing the changes?
We’re a fast-moving company. We try to give appropriate advance notice depending on the significance of a change without turning even the most minor update into a bureaucratic nightmare. With a trivial (in its effect) change of this nature, we felt that the time most people would want information about it would be at the time they encountered the change. -jdw
Comment by Ken Dreyer — May 18, 2008 #
You guys run a tight ship. 😀
Comment by Brad — May 19, 2008 #
Nice work! I haven’t gotten an email about a weak key, so I’m assuming that I should be safe 😛
That’s not necessarily a safe assumption. If you were running affected Debian versions, you should update and regenerate and replace your keys. I believe the key blacklist is known to produce both false positives and false negatives, so should not be the sole measure of safety. -jdw
Comment by Charlie Melbye — May 20, 2008 #
A timely warning, since I just now got the ALL CAPITALS WARNING and headed over here to see “What’s up, Doc?” 🙂
As usual, well-done with keeping on top of security.
Comment by Bumpy Light — May 22, 2008 #
Thank you. The capital letters didn’t alarm me too much, since I see them all the time on my home network when I reload a machine.
It’s good to see this info posted. I know some other hosts that would make the change without any kind of announcement. (Sometimes not even telling the support staff about the change, making for some very confused customers)
Comment by Nesman — May 25, 2008 #
The relevant member FAQ entry (q=SSH) needs to be updated, as it does not contain the rs2 key.
The relevant FAQ entry is actually this one; we’ve changed the one you’re referring to to point to it. -jdw
Comment by GreenReaper — June 13, 2008 #