> A test tool
> (http://security.debian.org/project/extra/dowkd/dowkd.pl.gz) can
> be downloaded to check if vulnerable SSH keys are present on a box.
> Just
> unpack that tool and run it like this:
>
> # perl dowkd.pl root
>
> Then it'll check user root's /root/.ssh/authorized_keys file for
> vulnerable
> SSH keys. Change the username if you want to check other users (like
> "admin",
> etc.).
>
Michael,
Thanks for the heads up. A couple of us at work were discussing this today and were looking for a way to test some servers. This will be helpful and I just confirmed all of my servers are good.
However, I think the command to run against a user would be:
# perl dowkd.pl user root
From the help file:
usage: dowkd.pl [OPTIONS...] COMMAND [ARGUMENTS...]
COMMAND is one of:
file: examine files on the command line for weak keys
host: examine the specified hosts for weak SSH keys
(change destination port with "host -p PORT HOST...")
user: examine user SSH keys for weakness; examine all users if no
users are given
quick: check this host for weak keys (encompasses "user" plus
heuristics to find keys in /etc)
help: show this help screen
version: show version information
Ernie Aldama
ealdama at inhomepc dot net
Bringing computer service to your home:
Virus/spyware removal, data recovery, and upgrades
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.