Based on the issue reported by @kvaps (big thanks!) we found out that few appliances distributed via OpenNebula Marketplace (http://marketplace.opennebula.org/) contain pre-generated SSH host keys. All VMs started from each affected appliance share the same base cryptographic secrets, are prone to various remote attacks and eavesdropping.
Affected KVM appliances:
- Alpine 3.6, 3.7, 3.8
- Debian 8, 9
- Devuan 1, 2
- alpine-vrouter
Affected vCenter appliances:
- alpine-vrouter
If you have any of these appliances imported into your image datastores, please drop them and pull the latest ones from the OpenNebula Marketplace (version: 5.6.0-0.20181120 or *0.20181121).
Existing VMs running from the affected images don’t need to be terminated, but new SSH host keys should be generated. It can be done by running following commands inside your VMs:
- Alpine:
rm -f /etc/ssh/ssh_host_*
service sshd restart
- Debian / Devuan:
rm -f /etc/ssh/ssh_host_*
DEBIAN_FRONTEND=noninteractive dpkg-reconfigure openssh-server
We are sorry for any inconveniences.
