[Sussex] SECURITY: SSH Keys Vulnerability On Debian and Debian-derived Distributions.
Steve Dobson
steve.dobson at syscall.org.uk
Wed May 14 13:39:59 UTC 2008
All
Yesterday it was announced that there is a vulnerability in OpenSSL in
Debian and Debian-derived distributions. Keys generated on Debian
system may be weak and compromised with a brute force attach. More
details can be read form below:
http://www.debian.org/security/2008/dsa-1571
http://wiki.debian.org/SSLkeys
If you admin a server using SSH is may well be advisable to delete all
authorized_keys files because they maybe weak. The first reference
above has a script if you wish to check for weakness of
files/{user-/host-}keys.
If you're admining a Debian server then doing an {apt-get/aptitude}
dist-upgrade will the openssh packages and install a new one:
openssh-blacklist. This give a new command:
ssh-vulnkey -a
Which checks standard places for weakness.
Steve
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://mailman.lug.org.uk/pipermail/sussex/attachments/20080514/93d620d9/attachment.pgp
More information about the Sussex
mailing list