However this has essentially exposed a massive number of protocol 2 implementations. If I run
a non-debian ssh server I still need to upgrade to an sshd that checks the blacklist right?
Since a debian using user could have sent me her debian-generated weak public key? That
account is now unsafe?
So if I make or allow a protocol 2 connection on a non-debian machine am I safe? Maybe; maybe
So bump the protocol and rest assured that anything accepting or making a protocol 2+
connection was implemented after the faulty PRNG debacle and move on.
Would it also avoid the blacklist - no blacklist lookup needed for protocol 2+ ?
I am not, by any means, a naive user - and yet I can't be sure I've correctly updated all my
systems. The fix is complex and subject to human error.