Weak Debian OpenSSH Keys in ~/.ssh/authorized_keys
Critical Nessus Plugin ID 32320
SynopsisThe remote SSH host is set up to accept authentication with weak Debian SSH keys.
DescriptionThe remote host has one or more ~/.ssh/authorized_keys files containing weak SSH public keys generated on a Debian or Ubuntu system.
The problem is due to a Debian packager removing nearly all sources of entropy in the remote version of OpenSSL.
This problem does not only affect Debian since any user uploading a weak SSH key into the ~/.ssh/authorized_keys file will compromise the security of the remote system.
An attacker could try a brute-force attack against the remote host and logon using these weak keys.
SolutionRemove all the offending entries from ~/.ssh/authorized_keys.