canonical:
”A weakness has been discovered in the random number generator used by OpenSSL on Debian and Ubuntu systems. As a result of this weakness, certain encryption keys are much more common than they should be, such that an attacker could guess the key through a brute-force attack given minimal knowledge of the system. This particularly affects the use of encryption keys in OpenSSH.”
debian:
“It is strongly recommended that all cryptographic key material which has been generated by OpenSSL versions starting with 0.9.8c-1 on Debian systems is recreated from scratch. Furthermore, all DSA keys ever used on affected Debian systems for signing or authentication purposes should be considered compromised; the Digital Signature Algorithm relies on a secret random value used during signature generation.” (From the Debian Alert).
launchpad:
“You need to take action to continue using Launchpad features such as code hosting. We have deleted your SSH key from Launchpad because we have discovered a potential security vulnerability in the way your key was generated.”
also reported on _the_fridge_ for ubuntu (http://fridge.ubuntu.com/node/1445/).
right; how to fix this.
## update your system:
# install the security updates, i.e.:
feisty : openssh-client 1:4.3p2-8ubuntu1.3 openssh-server 1:4.3p2-8ubuntu1.3.
gutsy : openssh-client 1:4.6p1-5ubuntu0.3 openssh-server 1:4.6p1-5ubuntu0.3.
hardy : openssh-client 1:4.7p1-8ubuntu1.1 openssh-server 1:4.7p1-8ubuntu1.1.
## once the update is applied, weak user keys will be automatically rejected where possible.
# update openssh
that is, one shall check whether the key is affected by running the ssh-vulnkey tool (from the security update). (if in doubt, destroy that key and generate a new one.)
# to check all your own keys, assuming they are in the standard locations (~/.ssh/id_rsa || ~/.ssh/id_dsa || ~/.ssh/identity):
% ssh-vulnkey.
# to check all keys on your system:
% sudo ssh-vulnkey -a.
# to check a key in a non-standard location:
% ssh-vulnkey /path/to/key/.
if ssh-vulnkey says "COMPROMISED", the key is vulnerable and __should__ be replaced.
# regenerate any affected user keys openssh or, generate new keys using ssh-keygen, e.g.:
% ssh-keygen.
if necessary, update the
however, this situation occurred as the result of a programming bug, not as the result of making some weak key.
we all thank luciano bello, who discovered that the random number generator in deb's openssl package is predictable.
.
..:
1 comment:
Nice article. Thanks for sharing this information.
Post a Comment