|_&&']['20/22.#4[x3/2.|*#!1050|*#`/. gnu/linux; *nix. c 1 9 being redirected to /dev/null. issues to null@altair.uni.cx. *alt*.serving./at/.`{altair,algol,antares,arcturus,aldebaran,spica,ceti,vega,fomalhaut,rigel,sirius}./dot/.uni./dot/.cx'. ---- this blog still exists only for historical evidence (to my embarrassment). some of the non-laughable "articles" can be read at altair.uni.cx/growl/. :wq.

Saturday, May 24, 2008


as you probably know already, there's been a security alert for openssl.


”A weakness has been discovered in the random number generator used by OpenSSL on Debian and Ubuntu systems. As a result of this weakness, certain encryption keys are much more common than they should be, such that an attacker could guess the key through a brute-force attack given minimal knowledge of the system. This particularly affects the use of encryption keys in OpenSSH.”


“It is strongly recommended that all cryptographic key material which has been generated by OpenSSL versions starting with 0.9.8c-1 on Debian systems is recreated from scratch. Furthermore, all DSA keys ever used on affected Debian systems for signing or authentication purposes should be considered compromised; the Digital Signature Algorithm relies on a secret random value used during signature generation.” (From the Debian Alert).


“You need to take action to continue using Launchpad features such as code hosting. We have deleted your SSH key from Launchpad because we have discovered a potential security vulnerability in the way your key was generated.”

also reported on _the_fridge_ for ubuntu (http://fridge.ubuntu.com/node/1445/).

right; how to fix this.

## update your system:

# install the security updates, i.e.:
feisty : openssh-client 1:4.3p2-8ubuntu1.3 openssh-server 1:4.3p2-8ubuntu1.3.
gutsy : openssh-client 1:4.6p1-5ubuntu0.3 openssh-server 1:4.6p1-5ubuntu0.3.
hardy : openssh-client 1:4.7p1-8ubuntu1.1 openssh-server 1:4.7p1-8ubuntu1.1.

## once the update is applied, weak user keys will be automatically rejected where possible.

# update openssh files.

that is, one shall check whether the key is affected by running the ssh-vulnkey tool (from the security update). (if in doubt, destroy that key and generate a new one.)

# to check all your own keys, assuming they are in the standard locations (~/.ssh/id_rsa || ~/.ssh/id_dsa || ~/.ssh/identity):
% ssh-vulnkey.

# to check all keys on your system:
% sudo ssh-vulnkey -a.

# to check a key in a non-standard location:
% ssh-vulnkey /path/to/key/.

if ssh-vulnkey says "COMPROMISED", the key is vulnerable and __should__ be replaced.

# regenerate any affected user keys openssh or, generate new keys using ssh-keygen, e.g.:
% ssh-keygen.

if necessary, update the files.

however, this situation occurred as the result of a programming bug, not as the result of making some weak key.
we all thank luciano bello, who discovered that the random number generator in deb's openssl package is predictable.


No comments:

; about::fdd.

My photo
twin peaks, 42 milky way, sol system, earth, United States
-----BEGIN GEEK CODE BLOCK----- GCS/E/IT/L/M/MU/P/S/TW/ dpu s:- a-- C++++(+++) UBHLSV++++ P---(P-) L+++++ E++(+++) W+++ N++++ o+++ K++++++ w O+ M-- V-- PS+++ PE/++ Y+++ PGP++++ t+++/* 5++>++++ X++++ R++@ !tv b++++ DI+++@ D++(+++) G+++++ e* h+>++ !r y**. ma+ k++ F3 X+++ ------END GEEK CODE BLOCK------

; blog.archive.

; labels.

Creative Commons Licence [Some Rights Reserved]Ionuț Jula :: licensed for reuse under this Creative Commons Licence.
                            Some rights reserved. | Creative Commons Attribution-Share Alike 3.0 Unported License.