** Nick Chalk <nick@???> [2008-05-13 23:07]:
> Hugo Mills <hugo@???> wrote:
<<snip>>
> [ Oh what a /fun/ evening. I've realised just how
> many Linux systems I maintain, and how many
> OpenVPN tunnels. Trying to work out the correct
> sequence of ssh key generation to avoid locking
> yourself out of once-removed remote systems is not
> best done when tired... ]
** end quote [Nick Chalk]
Indeed, although thankfully I doubt I have as many to deal with, and one
I was in the process of rebuilding anyway. As a quick aside on that, I
rather liked the Ubuntu upgrade process compared to that used by Debian.
It's only a very minor difference, but having the upgrade regenerate the
server keys for you was a nice touch. Additionally, with my network of
servers there is only a single one that isn't restricted on what IP
addresses can connect in with SSH which further reduces exposure.
As for knowing which keys were affected, I found the ssh-vulnkey command
very handy when working through my authorized_keys files, aided by the
fact that I have recently worked through them and reorganised them into
commented groups to make it easier to read. I've taken the opportunity
to further improve things with better comments for each key as well.
I've pretty much regenerated everything anyway though, including my
PuTTY keys.
One peculiarity I did notice was that some of my keys showed up as
"Unknown (no blacklist information):". On investigation I notice that
these were all generated by the PuTTY Keygen utility (which uses mouse
movement over an area of the screen for 'randomness', so I try to move
out of the monitored area and back in as much as possible!). They showed
up as 1023 bit (in one case)[1] and 2047 bit (in others). A bit odd, but
from memory likely to be something to do with the key being generated in
two halves or something (I don't have the reference to hand
unfortunately).
[1] I really must get back to the machine to regenerate that key, and I
only checked it out of interest, it is actually commented out and I'll
use my roaming key to access when I get back to it.
--
Paul Tansom | Aptanet Ltd. |
http://www.aptanet.com/ | 023 9238 0001
======================================================================
Registered in England | Company No: 4905028 | Registered Office:
Crawford House, Hambledon Road, Denmead, Waterlooville, Hants, PO7 6NU
