Re: [SECURITY] [DSA 1576-1] New openssh packages fix predictable randomness
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Florian Weimer wrote:
| ------------------------------------------------------------------------
| Debian Security Advisory DSA-1576-1 security@debian.org
| http://www.debian.org/security/ Florian Weimer
| May 14, 2008 http://www.debian.org/security/faq
| ------------------------------------------------------------------------
|
| Package : openssh
| Vulnerability : predictable random number generator
| Problem type : remote
| Debian-specific: yes
| CVE Id(s) : CVE-2008-0166
|
| The recently announced vulnerability in Debian's openssl package
| (DSA-1571-1, CVE-2008-0166) indirectly affects OpenSSH. As a result,
| all user and host keys generated using broken versions of the openssl
| package must be considered untrustworthy, even after the openssl update
| has been applied.
|
| 1. Install the security updates
|
| This update contains a dependency on the openssl update and will
| automatically install a corrected version of the libss0.9.8 package,
| and a new package openssh-blacklist.
|
| Once the update is applied, weak user keys will be automatically
| rejected where possible (though they cannot be detected in all
| cases). If you are using such keys for user authentication, they
| will immediately stop working and will need to be replaced (see
| step 3).
|
| OpenSSH host keys can be automatically regenerated when the OpenSSH
| security update is applied. The update will prompt for confirmation
| before taking this step.
|
| 2. Update OpenSSH known_hosts files
|
| The regeneration of host keys will cause a warning to be displayed when
| connecting to the system using SSH until the host key is updated in the
| known_hosts file. The warning will look like this:
|
| @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
| @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
| @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
| IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
| Someone could be eavesdropping on you right now (man-in-the-middle
attack)!
| It is also possible that the RSA host key has just been changed.
|
| In this case, the host key has simply been changed, and you should
update
| the relevant known_hosts file as indicated in the error message.
|
| It is recommended that you use a trustworthy channel to exchange the
| server key. It is found in the file /etc/ssh/ssh_host_rsa_key.pub on
| the server; it's fingerprint can be printed using the command:
|
| ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub
|
| In addition to user-specific known_hosts files, there may be a
| system-wide known hosts file /etc/ssh/known_hosts. This is file is
| used both by the ssh client and by sshd for the hosts.equiv
| functionality. This file needs to be updated as well.
|
| 3. Check all OpenSSH user keys
|
| The safest course of action is to regenerate all OpenSSH user keys,
| except where it can be established to a high degree of certainty
that the
| key was generated on an unaffected system.
|
| Check whether your key is affected by running the ssh-vulnkey tool,
included
| in the security update. By default, ssh-vulnkey will check the
standard
| location for user keys (~/.ssh/id_rsa, ~/.ssh/id_dsa and
~/.ssh/identity),
| your authorized_keys file (~/.ssh/authorized_keys and
| ~/.ssh/authorized_keys2), and the system's host keys
| (/etc/ssh/ssh_host_dsa_key and /etc/ssh/ssh_host_rsa_key).
|
| To check all your own keys, assuming they are in the standard
| locations (~/.ssh/id_rsa, ~/.ssh/id_dsa, or ~/.ssh/identity):
|
| ssh-vulnkey
|
| To check all keys on your system:
|
| sudo ssh-vulnkey -a
|
| To check a key in a non-standard location:
|
| ssh-vulnkey /path/to/key
|
After installing the update, i cant find the command "ssh-vulnkey".
The command "sudo: ssh-vulnkey" returns: "sudo: ssh-vulnkey: command not
found"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFIKrjMGKDIyHq95b4RAvrcAKCIIg6UKxDqVEmnM6RnGT8nI688/ACdHt3O
/TXn9ofjkqFxzBOCr0Yj2Ps=
=fuBH
-----END PGP SIGNATURE-----
Reply to: