ssh keys and the Debian breach

[Joseph S. Myers]

Someone with root needs to run the scanner (most of the authorized_keys 
files are world-readable, but not all, and only root can remove any 
insecure keys from them).

If updatekey appends to the file rather than replacing the contents, it's 
not an adequate solution for users to run updatekey, since the old key 
needs removing as well as a new secure one adding.

I don't know what differences there may be between the keys detected by 
ssh-vulnkey and those detected by the perl script linked from the original 
Debian advisory.

-- 
Joseph S. Myers
joseph@codesourcery.com