security failure at digital ocean

This morning I received an email from Digital Ocean titled “Avoid Duplicate SSH Host Keys”. The email said:

“If you have created an Ubuntu Droplet or snapshot prior to July 2nd, DigitalOcean recommends regenerating the SSH host keys. Droplets based on standard images now create unique SSH host keys.”

(This, of course, implies that they didn’t before. Bad news.)

It went on to say how to do this, but rather disappointingly didn’t say either why I should, or why I should need to do so. A naive user might see the, in my view rather weak line “…recommends regenerating the SSH host keys”, and not take the issue as seriously as it needs to be taken. Fortunately the email gave a link to a blog post giving more detail. But even that blog post didn’t really do the subject justice. Fortunately however, one of the commenters to that posting provided a link to a separate earlier posting by Joshua Lund, a DO customer, explaining how he had discovered that all the ubuntu images he created seemed to come up with the same ssh host keys. This is not a good thing (TM).

DO seem now to have fixed the problem and it seems only to have affected ubuntu images. I use debian, and I’ve checked mine and they are all different, but I’ll regenerate anyway just for good form. But there is a wider lesson here. As Lund says in hs post:

“this problem might affect other VPS providers as well. It would also be easy to fall into the same trap if you are using disk images to rapidly provision new hardware.”

I am about to regenerate keys on all my other VPSs.

Permanent link to this article: https://baldric.net/2013/08/03/security-failure-at-digital-ocean/