In light of the recent revelations about the back door in ssh (which may have affected Ubuntu 22.04.3 LTS) should I generate new RSA keys for logging into my server?
From what I’ve read the only Ubuntu that was affected was 24.04 LTS. Here is a quote from the official Ubuntu Discourse.
3 Likes
If you were unfortunate enough to get the backdoored version,
I would think more than generating new keys would be required.
I dont think I would be happy with anything less than a complete wipe and a new install.
3 Likes
Far as I understand it, the corrupted XZ libraries only got as far as being included in some of the “proposed” pre-release versions of Noble Numbat. It was never widely released and was not present in previous versions of Ubuntu (as far as anyone knows).
It’s reported that there’s a big effort underway to revert to prior XZ libraries and, at the same time, studying them for any signs of this hack.
1 Like
It looks like you can trust your distro to look after this for you.
If you are still worried, install an earlier release.
Changing my SSH keys would be a huge task for me…
Getting a headache just thinking about it - bugger that - going to the fridge and cracking another tinnie (beer) and cranking up some metal music!
I guess I really should do it before I become even more complacent.
I recently renewed my subscription to MobaXterm - but couldn’t be arsed making it into a portable Windows app and “publishing” (sideloading 
) it to like the 35 Windows jumphosts I need to run it on…
What really annoys the f–k out of me - is “why can’t we have a Linux / UNIX ssh jumphost?” as if somehow RDP is more secure than SSH?
2 Likes
I have never understood ssh keys.
I cant fathom how to deal with multiple linuxes in the same computer. The keys keep changing e very time I boot a different Linux. Every Linux wants to make its own set of keys, so when I ssh from my other computer it never knows which set of keys to use.
3 Likes
I use the same rsa keys on all my home systems…
Soon as I stand up a new machine at home - I copy id_rsa (and for good measure id_rsa.pub) to ~/.ssh/. on the new system - then I can ssh using keybased auth to all my other systems…
I’m so lazy I usually use “sshpass” to test my connection, and accept the remote host (so it gets and entry in ~/.ssh/known_hosts) - if that works, I use sshpass to copy my keys to the remote machine (so it gets an entry, on the remote machine ~/.ssh/authorized_keys :
sshpass -p$PASSWORD ssh-copy-id user@remotehost
After this I can scp the key files to the remote host :
scp -p ~/.ssh/id_rsa\* user@remotehost
Haven’t had to do it for ages - but sometimes I verify the key files have the right perms : octal 0600 should be just fine for EVERY file located in ~/.ssh/ - the folder ~/.ssh should be 0700, and at the least all the files in there should be 0600
I also keep my keys in a “configs” folder in my private cloud solution (Resilio Sync).
Needless to say - I hardly ever have to run ssh-keygen - because I use the same keys…
2 Likes