HEADS UP: blacklisting of weak ssh keys
Matthew Dillon
dillon at apollo.backplane.com
Fri May 16 09:45:31 PDT 2008
:
:By now every administrator and/or ssh user should have heard about the
:bug in debian's ssl library. If you've been offline for the past few days,
:start here:
:
:http://lists.debian.org/debian-security-announce/2008/msg00152.html
:http://metasploit.com/users/hdm/tools/debian-openssl
:
:While our OpenSSL library does not suffer from this bug, it possible that
:some of your users have generated their keys on a buggy debian or
:debian-derivative (e.g. Ubuntu) system. This would mean their account can be
:easily compromised by a brute-force attack because of the relatively small
:number of keys that need to be tried.
:
:Today Simon updated our openssh to have the server reject any of the
:blacklisted keys by default. This may mean that some users will no longer be
:able to log in remotely, but the alternative is to leave the machine
:vulnerable to any of the key scanners circulating on the internet. If for
:some reason you need to allow the compromised keys you can set
:PermitBlacklistedKeys to Yes in your sshd_config.
:
:Also included in the update is the ssh-vulnkey program which you can use to
:compare the keys in your user accounts to the blacklist. Please note that the
:blacklist is not yet exhaustive; at the moment it covers only the keys
:created with the most common key generation parameters.
:
:It is strongly recommended that you upgrade your server (by rebuilding world)
:as soon as possible and remove any weak keys from the ~/.ssh/authorized_keys
:file. After this, you will have to arrange for any affected users to install
:new, properly generated, ssh keys.
:
:Any SSL certificates generated in the vulnerability window (2006-09-17 to now)
:on a debian system will have to be replaced as well.
:
:Aggelos
I am downloading the key fingerprings debian published and will run it
against all the accounts on leaf, pkgbox, and other machines.
-Matt
Matthew Dillon
<dillon at backplane.com>
More information about the Users
mailing list