Re: HEAD's UP: possible 0day SSH exploit in the wild

To: debian-security@lists.debian.org
Subject: Re: HEAD's UP: possible 0day SSH exploit in the wild
From: Russ Allbery <rra@debian.org>
Date: Fri, 10 Jul 2009 07:31:14 -0700
Message-id: <[🔎] 8763e0r4nh.fsf@windlord.stanford.edu>
In-reply-to: <[🔎] h3753t$4nh$1@ger.gmane.org> (Peter Jordan's message of "Fri\, 10 Jul 2009 12\:28\:11 +0200")
References: <[🔎] 20090708143825.GF2565@gamma.logic.tuwien.ac.at> <[🔎] f9971d420907080811ob5aa5a2i68f611f65aaf8b1f@mail.gmail.com> <[🔎] 5344ee8d0907080814x1a155b54n8298267c13b5b86d@mail.gmail.com> <[🔎] 235a4bf70907080933i33b77b67t4f72e489313e26a1@mail.gmail.com> <[🔎] f971bab40907080937v33884e78nce8291d34140f3de@mail.gmail.com> <[🔎] 235a4bf70907081403s7e2b9aadpa1d21e289d940211@mail.gmail.com> <[🔎] 20090708211330.GR16064@morgul.net> <[🔎] h340h6$aik$1@ger.gmane.org> <[🔎] 87fxd5kie1.fsf@windlord.stanford.edu> <[🔎] h354au$nf9$1@ger.gmane.org> <[🔎] 20090709160454.GS16064@morgul.net> <[🔎] h359vf$g9v$1@ger.gmane.org> <[🔎] 87iqi1bspm.fsf@windlord.stanford.edu> <[🔎] h35evp$voi$1@ger.gmane.org> <[🔎] 9l3a95ve88.fsf@not-invented-here.oucs.ox.ac.uk> <[🔎] h35heg$8fa$1@ger.gmane.org> <[🔎] 87my7dab3d.fsf@windlord.stanford.edu> <[🔎] h35iig$btq$1@ger.gmane.org> <[🔎] 87prc98o0h.fsf@windlord.stanford.edu> <[🔎] h3753t$4nh$1@ger.gmane.org>

Peter Jordan <usernetwork@gmx.info> writes:

> Let the option
> 	master_key_type = des3-hmac-sha1
> as it is?

Yes.  The master key isn't used on the network and changing it is very
difficult in lenny.

> No change in /etc/krb5.conf required?

Correct.  Clients will negotiate the strongest available encryption key
automatically.

> should i renew all host keys?

Ideally, yes, since that will get them on AES only.  If you have any
existing keys that don't have AES keys, you do need to list fallback
enctypes as supported until you've rekeyed them or you won't be able to
authenticate to them.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

Follow-Ups:
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: Peter Jordan <usernetwork@gmx.info>

References:
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: Norbert Preining <preining@logic.at>
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: Leandro Minatel <leandrominatel@gmail.com>
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: Rafael Moraes <rafael@bsd.com.br>
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: Roger Bumgarner <roger.bumgarner@gmail.com>
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: Jim Popovitch <jimpop@gmail.com>
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: Roger Bumgarner <roger.bumgarner@gmail.com>
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: Noah Meyerhans <noahm@debian.org>
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: Peter Jordan <usernetwork@gmx.info>
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: Russ Allbery <rra@debian.org>
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: Peter Jordan <usernetwork@gmx.info>
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: Noah Meyerhans <noahm@debian.org>
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: Peter Jordan <usernetwork@gmx.info>
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: Russ Allbery <rra@debian.org>
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: Peter Jordan <usernetwork@gmx.info>
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: pod <pod@herald.ox.ac.uk>
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: Peter Jordan <usernetwork@gmx.info>
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: Russ Allbery <rra@debian.org>
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: Peter Jordan <usernetwork@gmx.info>
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: Russ Allbery <rra@debian.org>
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: Peter Jordan <usernetwork@gmx.info>

Prev by Date: Re: HEAD's UP: possible 0day SSH exploit in the wild
Next by Date: Re: HEAD's UP: possible 0day SSH exploit in the wild
Previous by thread: Re: HEAD's UP: possible 0day SSH exploit in the wild
Next by thread: Re: HEAD's UP: possible 0day SSH exploit in the wild
Index(es):
- Date
- Thread