Comments on: SSH RSA host key changed

By: GreenReaper

GreenReaper — Fri, 13 Jun 2008 09:15:47 +0000

The relevant member FAQ entry (q=SSH) needs to be updated, as it does not contain the rs2 key. The relevant FAQ entry is actually this one; we've changed the one you're referring to to point to it. -jdw

By: Nesman

Nesman — Sun, 25 May 2008 03:45:17 +0000

Thank you. The capital letters didn’t alarm me too much, since I see them all the time on my home network when I reload a machine.

It’s good to see this info posted. I know some other hosts that would make the change without any kind of announcement. (Sometimes not even telling the support staff about the change, making for some very confused customers)

By: Bumpy Light

Bumpy Light — Thu, 22 May 2008 19:04:58 +0000

A timely warning, since I just now got the ALL CAPITALS WARNING and headed over here to see “What’s up, Doc?” 🙂

As usual, well-done with keeping on top of security.

By: Charlie Melbye

Charlie Melbye — Tue, 20 May 2008 00:04:51 +0000

Nice work! I haven’t gotten an email about a weak key, so I’m assuming that I should be safe 😛

That’s not necessarily a safe assumption. If you were running affected Debian versions, you should update and regenerate and replace your keys. I believe the key blacklist is known to produce both false positives and false negatives, so should not be the sole measure of safety. -jdw

By: Brad

Brad — Mon, 19 May 2008 01:43:39 +0000

You guys run a tight ship. 😀

By: Ken Dreyer

Ken Dreyer — Sun, 18 May 2008 06:06:39 +0000

I understand that it’s important to move quickly when fixing holes, but since this was a policy change and not a reaction to an actual security breach, what do you think about announcing these sort of things a few days before implementing the changes?

We’re a fast-moving company. We try to give appropriate advance notice depending on the significance of a change without turning even the most minor update into a bureaucratic nightmare. With a trivial (in its effect) change of this nature, we felt that the time most people would want information about it would be at the time they encountered the change. -jdw

By: Alan Linton

Alan Linton — Sat, 17 May 2008 21:15:27 +0000

I was working away and was, not alarmed, but surprised to find the ssh key had changed. It is good to know it’s not someone actually trying to do something nasty as my ssh client claimed might be happening.