Re: where did www.debian.org/security/key-rollover/ go?
On Tue, 2008-05-13 at 20:20 +0200, Rody wrote:
> In response to the latest security issue with ssl / ssh, i updated my packages
> with the new fixed versions of ssl. However the steps to regenerate the keys
> are not available on:
> www.debian.org/security/key-rollover/
> as the security advisory tells us.
> According to google, the page did exist 4 hours ago, but right now it's a dead
> link.
> I could do one of two things without the rollover text:
>
> 1) remove all packages with ssl and ssh in the name, and reinstall them after
> that. The nessesary keys should be created that way.
This is probably neither necessary nor sufficient. It's not sufficient
because other programs (e.g., mail servers, database servers) may use
certificates generated with ssl. Also, unless you purge the package it
may leave some old keys.
> 2) figure out for myself what combination of dpkg --configure commands i
> should use to recreate all the keys on my systems.
>
So far I have
1) regenerated keys in ~/.ssh, including tossing my old authorized keys
from other systems. I put the new key on a diskette to take to my other
systems, since I assume transmitting via scp is not a good idea til they
are updated.
2) cd /etc/ssh; invoke-rc.d ssh stop; rm *host*;
dpkg-reconfigure --default-priority openssh-server
I believe that if dpkg-reconfigure finds existing files it will leave
them alone, so you need to delete or move them. I actually moved rather
than rm'd the old files.
I can't see a I really understand the role of the keys in /etc/ssh vs
those in ~/.ssh, beyond the fact that the former establish host
identity.
As my previous message indicated, I'm not sure if such extreme measures
are necessary for rsa keys. And I have several other server
applications that probably need new certificates.
With luck others who know more will comment, and the page of
instructions will reappear and grow.
Ross
Reply to: