Does the heartbleed bug necessitate new SSH private keys?

Question

Debunking some Heartbleed FUD: You don’t need new SSH private keys. This affects the SSL protocol only.

My question is: Does the heartbleed bug necessitate new SSH private keys? (Or is this merely FUD?) [For systems that had the buggy version of the openssl library]

score 1 · Accepted Answer · answered Apr 16 '14 at 06:19

1

No, as far as I know you don't need to regenerate new key pairs (would be sensible anyway though). Heartbleed was a bug in the Heartbeat extension of OpenSSL for the keep-alive of a SSL/TLS connection.

Please see this article too: http://www.ssh.com/blog/12-ssh-communications-security-comments-on-heartbleed-vulnerability

answered Apr 16 '14 at 06:19

Wcool

329
1
2
9

Sure - just to clarify - isn't there a risk they've copied your keys out of memory? – hawkeye Apr 16 '14 at 06:24
@hawkeye, I can't answer that precisely. If they were in memory at the time of the attack (leak), then there is always a probability. I'd suggest you to regenerate the pairs anyway to have maximum security. edit: It's a good habit to regenerate keys after any exploit, such as this, has been discovered so late (2 years, sigh). – Wcool Apr 16 '14 at 06:42

Does the heartbleed bug necessitate new SSH private keys?

1 Answers1