Linode Support Ticket 10029540 - Other - Important Notice Regarding Ubuntu 17.10 Image

We recently identified an issue with our Ubuntu 17.10 image which resulted in Linodes being created with the same SSH host keys. As a result of this, it is possible that an attacker could launch a man-in-the-middle (MITM) attack on your SSH sessions.

Any Ubuntu 17.10 Linode which was created between January 11 and February 22 is affected (other versions of Ubuntu are not affected). In addition to Linodes that were deployed during this time frame, images and backups that were taken of an affected system would also continue to have this issue present.

We recommend that you regenerate new SSH host keys using the procedure below as soon as possible to avoid the risk of a MITM attack.

How to remediate this issue on existing Linodes:

Please run the following commands as the root user:

rm -f /etc/ssh/ssh_host_*
dpkg-reconfigure openssh-server
systemctl restart ssh

On systems which you have previously already used to SSH to your Linode, you may receive warnings when running ssh after regenerating your keys. To resolve these warnings, run the following command on your client:

ssh-keygen -R servername.example.com
(Change “servername.example.com” to the IP address or hostname of your server.)

How we will prevent this going forward:

New automated validation checks have already been added to our image build process which will help ensure that we do not provide images with pre-generated host keys in the future.

We sincerely apologize for any issues that you've encountered or concern that has been caused as a result of this, and we want you to know that we take this very seriously. The changes to our build process will ensure that this is not repeated in the future. If you have any questions about this notification, please let us know.

Kind Regards,
Tim Kelso
Customer Support Manager