| Author |
Message |
vca
Joined: 25 Sep 2007
Posts: 17
|
| Posted: Tue May 13, 2008 11:20 am Post subject: What to do about the Debian bug weakened SSH keys? |
|
|
Slashdot is discussing a bug in SSH key generation which was introduced into the Debian source tree in late 2006 that has just been uncovered. Essentially someone removed the random seeding from key generation making keys guessable. See:
http://it.slashdot.org/it/08/05/13/1533212.shtml
Now, what do we need to do with our linodes to correct for this? |
|
| Back to top |
|
dfelicia
Joined: 30 Jul 2007
Posts: 34
|
| Posted: Tue May 13, 2008 11:29 am Post subject: |
|
|
| Switch to Gentoo :-) |
|
| Back to top |
|
pclissold
Joined: 24 Oct 2003
Posts: 470
Location: Netherlands
|
| Posted: Tue May 13, 2008 1:02 pm Post subject: Re: What to do about the Debian bug weakened SSH keys? |
|
|
vca wrote: Now, what do we need to do with our linodes to correct for this?
Upgrade OpenSSL and re-generate all your SSH and SSL keys. |
|
| Back to top |
|
mwalling
Joined: 10 Dec 2007
Posts: 136
|
| Posted: Tue May 13, 2008 1:16 pm Post subject: |
|
|
dfelicia wrote: Switch to Gentoo :-)
or slackware, or centos, or arch, or fedora, or suse, or mandrake... |
|
| Back to top |
|
SteveG
Joined: 30 Nov 2003
Posts: 214
|
| Posted: Tue May 13, 2008 3:31 pm Post subject: |
|
|
| It may be worth noting that the error was introduced in September 2006, and keys older than that should be fine. |
|
| Back to top |
|
bdonlan
Joined: 22 Jan 2008
Posts: 67
|
| Posted: Tue May 13, 2008 5:22 pm Post subject: |
|
|
| Does this apply to gnupg keys as well? |
|
| Back to top |
|
vca
Joined: 25 Sep 2007
Posts: 17
|
| Posted: Tue May 13, 2008 5:56 pm Post subject: |
|
|
bdonlan wrote: Does this apply to gnupg keys as well?
No, in the Debian announcement:
http://lists.debian.org/debian-security-announce/2008/msg00152.html
they said:
"Keys generated with GnuPG or GNUTLS are not affected"
---
Stephen |
|
| Back to top |
|
dfelicia
Joined: 30 Jul 2007
Posts: 34
|
| Posted: Tue May 13, 2008 8:25 pm Post subject: |
|
|
Quote: or slackware, or centos, or arch, or fedora, or suse, or mandrake...
Heh. Reminds me of a comment I enjoyed at the top of efudd's script from this thread:
Code:
# Installation Tips:
# gentoo: emerge XML-LibXML ....
# debian: install gentoo OR apt-get install libxml-libxml-perl
# redhat: install windows
# slackware: rock on!
|
|
| Back to top |
|
CoreDuo
Joined: 13 May 2008
Posts: 1
|
| Posted: Tue May 13, 2008 9:36 pm Post subject: |
|
|
apt-get update
apt-get upgrade
http://www.us.debian.org/security/2008/dsa-1571
:) |
|
| Back to top |
|
SteveG
Joined: 30 Nov 2003
Posts: 214
|
| Posted: Tue May 13, 2008 9:52 pm Post subject: |
|
|
CoreDuo wrote: apt-get update
apt-get upgrade
:)
That gives you the fixed software. That doesn't fix the existing weak keys (including host keys) or certificates that may have been generated. What fun! |
|
| Back to top |
|
bdonlan
Joined: 22 Jan 2008
Posts: 67
|
| Posted: Tue May 13, 2008 10:41 pm Post subject: |
|
|
Updating SSH host keys:
Code: rm /etc/ssh/ssh_host_*
dpkg-reconfigure openssh-server
/etc/init.d/ssh restart # might not be necessary
Obviously you will receive host key mismatch warnings after this. Replace the relevant key(s) in ~/.ssh/known_hosts with the key in /etc/ssh/ssh_host_rsa_key.pub on the server (copy down the value using your existing session).
Don't forget to update lish keys as well, if you're using debian/ubuntu locally![/code] |
|
| Back to top |
|
Xan
Joined: 08 Feb 2004
Posts: 298
Location: Austin
|
| Posted: Tue May 13, 2008 11:50 pm Post subject: Web SSL certs |
|
|
| Don't forget that if you generated a certificate request with a compromised Debian-based distro, you'll need to replace your certificate. Hopefully that won't mean having to pay again... |
|
| Back to top |
|
path
Joined: 28 Mar 2008
Posts: 12
Location: Delaware
|
| Posted: Wed May 14, 2008 7:12 am Post subject: |
|
|
SteveG wrote: CoreDuo wrote: apt-get update
apt-get upgrade
:)
That gives you the fixed software. That doesn't fix the existing weak keys (including host keys) or certificates that may have been generated. What fun!
This will fix the keys on Ubuntu. They added on an "openssh-blacklist" package that comes with the upgrade. It will check and offer to regenerate keys during the upgrade action. It also provides a "ssh-vulnkey" utility to allow users to check their individual keys. Not sure if Debian has the same thing, but I wouldn't be surprised if that's where it came from. |
|
| Back to top |
|
Xan
Joined: 08 Feb 2004
Posts: 298
Location: Austin
|
| Posted: Wed May 14, 2008 10:06 am Post subject: |
|
|
http://wiki.debian.org/SSLkeys
This is the best page I've seen on the matter. It describes how this issue affects different packages you might be running, the use of ssh-vulnkey and dowkd.pl for testing keys, how to test SSL certificates, etc etc.
And you don't have to be running Debian at all to be affected. Basically if you've used a good key to talk to a machine with a bad key, your key may have been compromised.
Quote: * key generated with broken openssl = bad
* key generated with good openssl and used to ssh from a machine with bad ssl = bad
* key generated with good openssl and used to ssh from a machine with good ssl = good
|
|
| Back to top |
|
tronic
Joined: 04 Dec 2004
Posts: 123
|
| Posted: Tue May 20, 2008 12:15 am Post subject: |
|
|
path wrote: SteveG wrote: CoreDuo wrote: apt-get update
apt-get upgrade
:)
That gives you the fixed software. That doesn't fix the existing weak keys (including host keys) or certificates that may have been generated. What fun!
This will fix the keys on Ubuntu. They added on an "openssh-blacklist" package that comes with the upgrade. It will check and offer to regenerate keys during the upgrade action. It also provides a "ssh-vulnkey" utility to allow users to check their individual keys. Not sure if Debian has the same thing, but I wouldn't be surprised if that's where it came from.
I had to do 'sudo apt-get update && sudo apt-get dist-upgrade' to get the full set of updated openssh packages since a few were held back otherwise. |
|
| Back to top |
|
| |
