Debian OpenSSL vulnerability: Check your installation/keys
Posted by coldtobi | 14 May, 2008, 09:57As I learned today by an announce at the debian security list, there was a "patch" against security in the OpenSSL Library. The patch is debian specific, so applies only to debian and clones (e.g Ubuntu). However, it was sufficient to create the keys on a affected machine, so everyone could be affected, if the keys where transfered to a third machine.
The error causes, that the host keys are predictable, which renders them compromised.
For more information, you should read http://www.us.debian.org/security/2008/dsa-1571.
So how to find out if you are vulnerable? if you update your system (sid and etch), it'll pull the necessary packages and ssh will prompt you, that it will regenerate the keys now. Then you know. However, you can also open a extra shell and then execute the (newly installed) ssh-vulnkey command. It will tell you, if you are affected: (Keys modified to fit to your screen ;-))
# ssh-vulnkey
COMPROMISED: 2048 cd:44:8d:.... /etc/ssh/ssh_host_rsa_key.pub
COMPROMISED: 1024 3a:e5:72:.... /etc/ssh/ssh_host_dsa_key.pub
(Note, that after you confirm, the key is regenerated.)
Not blacklisted: 2048 fa:eb:dc.... /etc/ssh/ssh_host_rsa_key.pubWord of Warning: Key-base authorization might NOT work after the update, until you
Not blacklisted: 1024 14:23:35.... /etc/ssh/ssh_host_dsa_key.pub
Parsing for vulnerable SSH Keys
You can also use ssh-vulnkey against your $HOME/.ssh/* This can give you a clue which
hosts are affected and help to avoid forgetting some host. Simply execute ssh-vulnkey as normal user, and it will check all files for you.
Note, that it will only show if compromised or not. But the keys are in the same order in the file as outputted. So open the file in vim or the your editor of choice and delete the corresponding lines until all keys are ok. Please note, that the keys might be not recognized as unsafe, as it is only compared against a black list. But maybe it is easier to just discard all known-hosts and also update all authorized keys with newly generated ones.
What other packages are affected?
Many other packages also use openssl for key/certificate generation. If in doubt, every certificate should be doubted. http://wiki.debian.org/SSLkeys gives a brief list, which packages are affected. However, this list might not complete.
To get a clue about the packages which use openssl, you can query aptitude:
aptitude search "~D openssl" | grep "^i"will list all installed packages which directly depends on openssl.
<—&mdash Showing ERROR? Click here!
Linux / Debian | Comments (1) | Trackbacks (0)
Related Articles:
- Debian OpenSSL Issue on Arm[el] (Thecus, NSLU etc)?
- Thecus N2100: Testing a new kernel. Or the Installer. Or Revert. Or Recover.
- La Fonera: Autoupdate to 0.7.1.5
- Thecus N2100: Testing a kernel prior flashing
- Installing Debian on the Thecus N2100 -- PART 2 -- Installing the Installer
Ann :
23/02/2010, at 09:52 [ Reply ]
Thanks for information!