[CentOS] OpenSSL/SSH Bug on Debian - Compromised key pairs

Thu May 15 16:56:19 UTC 2008
Ned Slider <ned at unixmail.co.uk>

Daniel de Kok wrote:
> "Furthermore, all DSA keys ever used on affected Debian systems for
> signing or authentication purposes should be considered compromised;
> the Digital Signature Algorithm relies on a secret random value used
> during signature generation."
> Take care,
> Daniel

SANS have more on this today and will likely continue to update the 
story as new developments emerge:


To summarise, scripts that allow brute-forcing of keys are already in 
the wild - expect to see an upturn in activity on port 22 as a result. 
Further, for SSL secured websites, if the public key is known, no 
brute-forcing is even necessary.