Debian / Ubuntu Linux Public key Blacklisted (see ssh-vulnkey(1)) Error and Solution

Q. When ever I try to login to my remote Debian Linux server called in013.example.com, I get the following error message in /var/log/auth.log file:

ADVERTISEMENTS

Jul 1 17:04:36 in013 sshd[14447]: Public key 48:de:55:22:xx:yy:zz:yy:xx:yy:zz:yy::88:e8:87:47 blacklisted (see ssh-vulnkey(1))
Jul 1 17:04:36 in013 sshd[14447]: Public key 48:de:55:22:xx:yy:zz:yy:xx:yy:zz:yy::88:e8:87:47 blacklisted (see ssh-vulnkey(1))

I’m using Ubuntu Linux as desktop operating system. How do I fix this error?

A. This is well known security flow in Debian / Ubuntu Linux OpenSSL package. First, you need to update your Ubuntu Linux desktop software, by typing following commands:
$ sudo apt-get update
$ sudo apt-get upgrade

This will update openssl, openssh server and client packages for you. This will also regenerate COMPROMISED keys stored /etc/ssh/ directory. However, this will update your personal COMPROMISED keys stored at $HOME/.ssh. Type the following command to list all COMPROMISED keys:
$ sudo ssh-vulnkey -a
ssh-vulnkey checks a key against a blacklist of compromised keys. You must remove all COMPROMISED keys and regenerate them again using ssh-keygen command.
$ cd ~/.ssh
$ rm id_*
$ ssh-keygen -t rsa

OR
ssh-keygen -t dsa
Upload new id_rsa.pub or id_dsa.pub file to remote host and overwrite existing authorized_keys2 file, enter:
$ scp ~/.ssh/id_rsa.pub user@in013.example.com:.ssh/authorized_keys2
If you have multiple keys, then copy ~/.ssh/id_rsa.pub to $HOME and manually delete / update authorized_keys2 file:
$ scp ~/.ssh/id_rsa.pub user@in013.example.com:~/
Find out line number, enter:
$ grep 'your-desktop-name' ~/.ssh/authorized_keys2
Use vi to open COMPROMISED key, enter (replace N with actual line number):
$ vi +N ~/.ssh/authorized_keys2
Delete file pressing dd once. Save and close the file. Append new public key, enter:
$ cat ~/id_rsa.pub >> ~/.ssh/authorized_keys2

Suggested readings:

🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source/DevOps topics:
CategoryList of Unix and Linux commands
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNCentOS 8 Debian 10 Firewall Ubuntu 20.04

ADVERTISEMENTS
2 comments… add one
  • Gavin McQuillan May 4, 2009 @ 3:32

    Hi.

    This was a quick, helpful guide to negotiating this situation. However, I found that one extra step was helpful in making the remote system accessible again (if you run into “Permission denied (publickey)” error) :

    from the desktop system:
    $ ssh-add
    [enter password]

    Now you shouldn’t have any trouble accessing the remove server.

  • greylion Aug 29, 2009 @ 17:56

    When scp’ing the new id_*pub files over, it asks for the passwd.
    After typing in the passwd, I get these errors:
    setterm: $TERM is not defined.
    setterm: $TERM is not defined.
    scp: .ssh/authorized_keys2: No such file or directory
    (Debian 5.0/lenny 32-bit)

    Apparently, I don’t need to do that, it works anyway.
    Maybe the pubkeys get transferred upon first login, when you’re asked yes/no to continue connecting?
    I did need to delete a couple of old ones in known_hosts, though, for both root and my (only) user.

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre>, <code>...</code> and <kbd>...</kbd> for code samples.