Earlier this week I posted about a vulnerability in OpenSSL that limits the entropy used to generate encryption keys. Yesterday HD Moore released all possible 1024-bit DSA and 2048-bit RSA keys that could be generated by systems running the vulnerable version of OpenSSL.

Today Markus Mueller released a Perl script that uses these pre-generated keys to brute force public key authentication on SSH servers using vulnerable keys. Markus estimates the maximum amount of time required for the attack is 20 minutes. Of course this assumes account lockout settings do not get in the way and lockout the account.

Again patch your systems and be sure to regenerate your keys!

Cheers,
Matt