[PLUG] openssh-server upgrade/problem resolved
Sean Whitney
sean.whitney at gmail.com
Wed May 14 20:05:11 UTC 2008
Upgrading your ubuntu boxes will result in regenerating the hostkey.
On debian boxes check the date of the keys, if they are prior to
September 2006, they are probably ok, otherwise I think you need to
replace the keys yourself.
ssh-keygen -f /etc/ssh/ssh_host_rsa_key -t rsa -N ''
ssh-keygen -f /etc/ssh/ssh_host_dsa_key -t dsa -N ''
Also there is a new package available in ubuntu called
openssh-blacklist. It's also available in and in lenny and etch, using
deb http://security.debian.org/debian-security etch/updates main
Installing this will prevent compromised keys from logging into boxes.
Also check out the new command ssh-vulnkey in the openssh-client
package. It uses the openssh-blacklist package to highlight compromised
keys.
Finally ssh-keygen -lf <file> will help you generate fingerprints to
help located bad keys.
Sean
> Matt McKenzie wrote:
>> Did you hear about the SSH vulnerability that was patched in Debian and all
>> it's derivatives (including Ubuntu)?
>> Debian:
>> http://lists.debian.org/debian-security-announce/2008/msg00152.html
>>
>> Ubuntu
>> https://lists.ubuntu.com/archives/ubuntu-security-announce/2008-May/000705.html
>>
>> Note this was a Debian (and derivative) specific issue, with the packages
>> (random number generator wasn't really random, getting "dirty" data), not an
>> issue with OpenSSH or OpenSSL itself.
>>
>> This is most likely the reason.
>> Not sure about the templates issue you saw but it could be there was
>> something related that was also fixed...
>>
>> As a side note you may want to regenerate your SSH keys on your Ubuntu box,
>> if you log into it remotely (probably even if you don't).
More information about the PLUG
mailing list