I found all of my ubuntu 10.04 rightscale hosts had the same ssh key. The base image they use has one ssh host key that is never regenerated on instance creation, so effectively 100% of hosts are likely to have the same key for each system image.
RightScale has been notified and they are working on notification and fixes for customers.
The script in this gist will regenerate your keys if you have the ones I know of (on the ubuntu 10.04 rightscale image)
AMI: ami-7c16e315
| #!/bin/sh | |
| cd /etc/ssh | |
| bad_keys=$(cat <<BADKEYS) | |
| 73e10e532a190fb1d58563fe50c1650b ssh_host_dsa_key | |
| d6d3e737f2105eb80bf2c14681570d5e ssh_host_rsa_key | |
| BADKEYS | |
| #08b59f5d39331f9ac250281a7fd5e706 ssh_host_dsa_key.pub | |
| #f4846168fe5c612a2e8419007429075f ssh_host_rsa_key.pub | |
| needs_regen=$(echo "$bad_keys" | md5sum -c - 2> /dev/null | awk -F': ' '$2 == "OK" { print $1 }') | |
| for key in $needs_regen ; do | |
| cp $key $key.rightscale-badness | |
| cp $key.pub $key.pub.rightscale-badness | |
| type="$(echo "$key" | awk -F_ '{print $3}')" | |
| yes | ssh-keygen -q -t $type -N "" -f $key | |
| done | |
Please see the following RightScale Security Announcement for remedies.