[Python-Dev] heads up on svn.python.org ssh keys - debian/ubuntu users may need new ones
Alexandre Vassalotti
alexandre at peadrop.com
Wed May 14 02:17:53 CEST 2008
On Tue, May 13, 2008 at 7:12 PM, "Martin v. Löwis" <martin at v.loewis.de> wrote:
> > If you generated your python subversion ssh key during this time on a
> > machine fitting the description above, please consider replacing your
> > keys.
> >
> > apt-get update ; apt-get upgrade on debian will provide you with a
> > ssh-vulnkey program that can be used to test if your ssh keys are
> > valid or not.
>
> I'll ping all committers for which ssh-vulnkey reports COMPROMISED.
>
> I personally don't think the threat is severe - unless people also
> published their public SSH keys somewhere, there is little chance that
> somebody can break in by just guessing them remotely - you still need
> to try a lot of combinations for user names and passwords, plus with
> subversion, we'll easily recognize doubtful checkins (as we do even
> if the committer is legitimate :-).
>
Well, I had a break in on my public server (peadrop.com) this week,
which had a copy my ssh pubkey. I don't know if the attacker took a
look at my pubkeys, but I won't take any change. So, I definitely have
to change my key, ASAP.
-- Alexandre
More information about the Python-Dev
mailing list