Re: HEAD's UP: possible 0day SSH exploit in the wild

To: debian-security@lists.debian.org
Subject: Re: HEAD's UP: possible 0day SSH exploit in the wild
From: Russ Allbery <rra@debian.org>
Date: Fri, 10 Jul 2009 10:24:52 -0700
Message-id: <[🔎] 87ws6gih7f.fsf@windlord.stanford.edu>
In-reply-to: <[🔎] h37sac$g2g$1@ger.gmane.org> (Peter Jordan's message of "Fri\, 10 Jul 2009 19\:04\:12 +0200")
References: <[🔎] 20090708143825.GF2565@gamma.logic.tuwien.ac.at> <[🔎] 5344ee8d0907080814x1a155b54n8298267c13b5b86d@mail.gmail.com> <[🔎] 235a4bf70907080933i33b77b67t4f72e489313e26a1@mail.gmail.com> <[🔎] f971bab40907080937v33884e78nce8291d34140f3de@mail.gmail.com> <[🔎] 235a4bf70907081403s7e2b9aadpa1d21e289d940211@mail.gmail.com> <[🔎] 20090708211330.GR16064@morgul.net> <[🔎] h340h6$aik$1@ger.gmane.org> <[🔎] 87fxd5kie1.fsf@windlord.stanford.edu> <[🔎] h354au$nf9$1@ger.gmane.org> <[🔎] 20090709160454.GS16064@morgul.net> <[🔎] h359vf$g9v$1@ger.gmane.org> <[🔎] 87iqi1bspm.fsf@windlord.stanford.edu> <[🔎] h35evp$voi$1@ger.gmane.org> <[🔎] 9l3a95ve88.fsf@not-invented-here.oucs.ox.ac.uk> <[🔎] h35heg$8fa$1@ger.gmane.org> <[🔎] 87my7dab3d.fsf@windlord.stanford.edu> <[🔎] h35iig$btq$1@ger.gmane.org> <[🔎] 87prc98o0h.fsf@windlord.stanford.edu> <[🔎] h3753t$4nh$1@ger.gmane.org> <[🔎] 8763e0r4nh.fsf@windlord.stanford.edu> <[🔎] h37sac$g2g$1@ger.gmane.org>

Peter Jordan <usernetwork@gmx.info> writes:
> Russ Allbery, Fri Jul 10 2009 16:31:14 GMT+0200 (CEST):

>> Yes.  The master key isn't used on the network and changing it is
>> very difficult in lenny.

> But for new installations a change is not a bad idea?

Yeah, for new installations it's generally best to start the master key
at the strongest supported key type.  MIT 1.7 supports rekeying, though,
which makes things much simpler.

>> Correct.  Clients will negotiate the strongest available encryption key
>> automatically.

> How can i see that the change has worked?

klist -e will show you the enctypes of the tickets in your cache.  You
can also check the enctypes of the tickets issued by the KDC in the KDC
logs, although those are numeric and a bit less easy to understand.

> It seems to work without renewing old keys (host/nfs). How can i see
> which enctypes the keys have.

kadmin examine on those principals.

> btw. if i list the principal for me in kadmin.local there are no
> values for Last successful authentication / Last failed authentication
> and ailed password attempts although the EQUIRES_PRE_AUTH Attribute is
> set:

Those fields aren't actually maintained in the database.  (There is code
to do so, but it's ifdefed out and has serious problems.)

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

Follow-Ups:
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: Peter Jordan <usernetwork@gmx.info>

References:
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: Norbert Preining <preining@logic.at>
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: Rafael Moraes <rafael@bsd.com.br>
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: Roger Bumgarner <roger.bumgarner@gmail.com>
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: Jim Popovitch <jimpop@gmail.com>
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: Roger Bumgarner <roger.bumgarner@gmail.com>
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: Noah Meyerhans <noahm@debian.org>
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: Peter Jordan <usernetwork@gmx.info>
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: Russ Allbery <rra@debian.org>
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: Peter Jordan <usernetwork@gmx.info>
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: Noah Meyerhans <noahm@debian.org>
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: Peter Jordan <usernetwork@gmx.info>
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: Russ Allbery <rra@debian.org>
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: Peter Jordan <usernetwork@gmx.info>
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: pod <pod@herald.ox.ac.uk>
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: Peter Jordan <usernetwork@gmx.info>
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: Russ Allbery <rra@debian.org>
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: Peter Jordan <usernetwork@gmx.info>
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: Russ Allbery <rra@debian.org>
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: Peter Jordan <usernetwork@gmx.info>
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: Russ Allbery <rra@debian.org>
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: Peter Jordan <usernetwork@gmx.info>

Prev by Date: Re: HEAD's UP: possible 0day SSH exploit in the wild
Next by Date: Re: HEAD's UP: possible 0day SSH exploit in the wild
Previous by thread: Re: HEAD's UP: possible 0day SSH exploit in the wild
Next by thread: Re: HEAD's UP: possible 0day SSH exploit in the wild
Index(es):
- Date
- Thread