[Gllug] Debian / Ubuntu SSL vulnerability

John Winters john at sinodun.org.uk
Wed May 14 08:00:33 UTC 2008


> Eeek.
>
> "It is strongly recommended that all cryptographic key material which
> has been generated by OpenSSL versions starting with 0.9.8c-1 on
> Debian systems is recreated from scratch. Furthermore, all DSA keys
> ever used on affected Debian systems for signing or authentication
> purposes should be considered compromised"
>
> 	http://www.debian.org/security/2008/dsa-1571
> 	http://www.ubuntu.com/usn/usn-612-1
>
> That's a whole lot of extra work I could have done without. Ho hum.
> Time to start regenerating those keys...

I've seen lots of articles describing how to take steps to fix your keys,
and others describing what the coding error is, but I've yet to find
anything which describes in detail what the danger is.  Can anyone
elaborate?

There's a big difference between, "Anyone can walk into any system running
ssh" and "Sniffing an extended ssh session would allow someone to crack
your key quite easily".

Say one had an isolated system running ssh and a weak key stored on it as
an authorised key.  Without any further information, could a black hat now
gain access to that system?  How easily?

TIA,
John

-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug




More information about the GLLUG mailing list