2018-08-31 Bitnami build key present in Microsoft Azure server instances
During recent testing, we found that Bitnami single VMs for Azure Marketplace built after 25 May 2018 and before 29 August 2018 included the Bitnami build SSH key in the .ssh/authorized_keys file.
The mistaken inclusion of this SSH key permitted remote access to parties who had possession of the private key. This private key was solely in possession of Bitnami and has been destroyed. Users who wish to take all possible security-related steps may however still wish to remove the entry from their .ssh/authorized_keys file.
If you are running a Bitnami server that you think could be affected, execute the following command at your server console to check if the server includes that key and remove it:
$ curl -s https://downloads.bitnami.com/files/download/patch-script/key-remover.sh | sudo bash
Here is the output from an example run, showing that the key was found and removed:
bitnami@testpasswd:~$ curl -s https://downloads.bitnami.com/files/download/patch-script/key-remover.sh | sudo bash Bitnami public key found at /root/.ssh/authorized_keys This is /root/.ssh/authorized_keys now: Key removed. Backup left at /root/.ssh/authorized_keys.backup-x2HAI Bitnami public key found at /home/bitnami/.ssh/authorized_keys This is /home/bitnami/.ssh/authorized_keys now: Key removed. Backup left at /home/bitnami/.ssh/authorized_keys.backup-FZCwc Success! The files below do not include the bitnami public key anymore: /root/.ssh/authorized_keys /home/bitnami/.ssh/authorized_keys /home/user/.ssh/authorized_keys
If you prefer to remove the key manually, this is the key fingerprint:
If you have any questions about this process, you can visit our github repository. We will be happy to help!