Thanks for this report, however the VM you link to is not a publicly available VM distributed by the Kali Linux project, it is a private VM distributed by Offensive Security as part of the OffSec courseware. Therefore i'm closing this bug. I have notified the responsible Offsec parties and they will look into correcting the issue.

Oh and just fyi, the business of bug trackers automatically copying bugs into cleartext email is a little contentious when it comes to trying to maintain some security around communications. I don't mind using web forms at all -- HTTPS is way easier than PGP -- but that transport security is a little ruined after the fact. I think Bugzilla has a mechanism for PGP'ing updates on private issues, but afaict, nobody uses it.

Also, reporting this bug initially caused your WAF to freak out. It might have been the fact that I was trying to post a private key? Can't tell. Again, just FYI.

Also also, I've written to the holder of this key who registered it on GitHub, let him know the situation, and asked him to respect the disclosure embargo of 60 days.

Feel free to reclose this bug and let me know if OffSec needs anything else from me. Just wanted to get these comments in here.

Thanks for the update.
Not to seem dismissive, but the nature and severity of this bug didn't warrant any need for communication security or a disclosure embargo of any kind. If I understand correctly, this bug can be titled "Users should not use pre-generated SSH keys for 3rd party authentication". Offsec doesn't view this as a vulnerability in the PWK image as it doesn't affect any of the three C's of the underlying OS. It seems odd that Rapid7 researchers would consider this as a "product vulnerability" in the first place.

Sure, users shouldn't use pre-generated keys, but it appears that it's at least a little bit easy to accidentally use this pre-generated key (given that we've found it at least once in the wild).

I agree that the severity is quite low; it doesn't appear to be tied to an authorized_users file or anything like that. But if that's the case, why ship it at all? There doesn't seem to be any legitimate utility with this key.

IOW, users shouldn't use it, and OffSec shouldn't be handing it out. :) That's my take, anyway.

Agreed, however - distinguishing between "user error" and "product vulnerability" should be fairly easy when it comes to bug classification. I find it somewhat strange that Rapid7 would go through the whole process of vulnerability disclosure with CERT and requesting 60 day disclosure embargos from users - for something that can be chalked up as a cosmetic issue.

Regardless, the keys have been removed from the VM, and a new PWK image is currently being uploaded...so thanks for the heads up in any case!