Re: Fwd: Implications of Debian OpenSSL flaw for MIT PKINIT
Joey Hess <joeyh@debian.org> writes:
> Could you summarise the changes that should be made to the key-rollover
> page (or provide a patch)?
Absolutely. Here's a patch that I think captures the essence and the
important details.
--- rollover.html.orig 2008-05-16 15:07:35.000000000 -0700
+++ rollover.html 2008-05-16 15:07:11.000000000 -0700
@@ -261,27 +261,36 @@
in Debian 4.0 is not affected at all.
</p>
<p>
-In Lenny the separate binary package krb5-pkinit uses OpenSSL.
-</p><ul>
-<li>
-MIT Kerberos itself does not generate long-term key pairs even when the
-PKINIT plugin is used, so any vulnerable long-term key pairs would have
-been generated outside of the MIT Kerberos software itself. The PKINIT
-plugin only references existing key pairs and isn't responsible for key
+In Lenny the separate binary package krb5-pkinit uses OpenSSL. MIT
+Kerberos itself does not generate long-term key pairs even when the PKINIT
+plugin is used, so any vulnerable long-term key pairs would have been
+generated outside of the MIT Kerberos software itself. The PKINIT plugin
+only references existing key pairs and isn't responsible for key
management.
-</li>
-<li>
-All of the random session key generation inside the PKINIT plugin is
-done using the regular MIT Kerberos random key functions, <em>not</em> the
-OpenSSL random number generator, and hence sessions created via PKINIT
-are not subject to this vulnerability.
-</li>
-</ul>
-
+</p>
+<p>
+Long-term key pairs used with PKINIT may be affected if generated on an
+affected Debian system, but such generation is external to MIT Kerberos.
+</p>
<p>
-MIT Kerberos itself is not in affected. However, long-term key pairs used
-with PKINIT may be affected if generated on an affected Debian system, but
-such generation is external to MIT Kerberos.
+However, the OpenSSL random key functions are used for the DH exchange
+when PKINIT authentication is used, which means that an attacker may be
+able to use brute-force to gain access to the KDC response to a PKINIT
+authentication and subsequently gain access to any sessions created using
+service tickets from that authentication.
+</p>
+<p>
+Any KDCs using the PKINIT plugin from Lenny should have their libssl0.9.8
+packages upgraded immediately and the Kerberos KDC restarted with:
+</p>
+<p>
+/etc/init.d/krb5-kdc restart
+</p>
+<p>
+Any Kerberos ticket-granting tickets (TGTs) or encrypted sessions resulting
+from PKINIT authentication using a Kerberos KDC with the affected libssl
+should be treated as suspect; it's possible that attackers with packet
+captures will be able to compromise those keys and sessions.
</p>
<h1><a name="openswan">OpenSWAN / StrongSWAN</a></h1>
<pre>rm /etc/ipsec.d/private/`hostname`Key.pem /etc/ipsec.d/certs/`hostname`Cert.pem
--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>
Reply to: