In light of the recent revelations about the back door in ssh (which may have affected Ubuntu 22.04.3 LTS) should I generate new RSA keys for logging into my server?
From what I’ve read the only Ubuntu that was affected was 24.04 LTS. Here is a quote from the official Ubuntu Discourse.
If you were unfortunate enough to get the backdoored version,
I would think more than generating new keys would be required.
I dont think I would be happy with anything less than a complete wipe and a new install.
Far as I understand it, the corrupted XZ libraries only got as far as being included in some of the “proposed” pre-release versions of Noble Numbat. It was never widely released and was not present in previous versions of Ubuntu (as far as anyone knows).
It’s reported that there’s a big effort underway to revert to prior XZ libraries and, at the same time, studying them for any signs of this hack.
It looks like you can trust your distro to look after this for you.
If you are still worried, install an earlier release.
Changing my SSH keys would be a huge task for me…
Getting a headache just thinking about it - bugger that - going to the fridge and cracking another tinnie (beer) and cranking up some metal music!
I guess I really should do it before I become even more complacent.
I recently renewed my subscription to MobaXterm - but couldn’t be arsed making it into a portable Windows app and “publishing” (sideloading ) it to like the 35 Windows jumphosts I need to run it on…
What really annoys the f–k out of me - is “why can’t we have a Linux / UNIX ssh jumphost?” as if somehow RDP is more secure than SSH?
I have never understood ssh keys.
I cant fathom how to deal with multiple linuxes in the same computer. The keys keep changing e very time I boot a different Linux. Every Linux wants to make its own set of keys, so when I ssh from my other computer it never knows which set of keys to use.
I use the same rsa keys on all my home systems…
Soon as I stand up a new machine at home - I copy id_rsa (and for good measure id_rsa.pub) to ~/.ssh/. on the new system - then I can ssh using keybased auth to all my other systems…
I’m so lazy I usually use “sshpass” to test my connection, and accept the remote host (so it gets and entry in ~/.ssh/known_hosts) - if that works, I use sshpass to copy my keys to the remote machine (so it gets an entry, on the remote machine ~/.ssh/authorized_keys :
sshpass -p$PASSWORD ssh-copy-id user@remotehost
After this I can scp the key files to the remote host :
scp -p ~/.ssh/id_rsa\* user@remotehost
Haven’t had to do it for ages - but sometimes I verify the key files have the right perms : octal 0600 should be just fine for EVERY file located in ~/.ssh/ - the folder ~/.ssh should be 0700, and at the least all the files in there should be 0600
I also keep my keys in a “configs” folder in my private cloud solution (Resilio Sync).
Needless to say - I hardly ever have to run ssh-keygen - because I use the same keys…