Re: [Hampshire] OpenSSL in Debian is broken

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
M\Steve Kemp at <-
MMSean Gibbins at ->
Author: Hugo Mills
Date:  
To: Hampshire LUG Discussion List
Subject: Re: [Hampshire] OpenSSL in Debian is broken

Reply to this message
gpg: failed to create temporary file '/var/lib/lurker/.#lk0x5762a100.hantslug.org.uk.8548': Permission denied
gpg: keyblock resource '/var/lib/lurker/pubring.gpg': Permission denied
gpg: Signature made Tue May 13 20:12:26 2008 BST
gpg: using DSA key 20ACB3BE515C238D
gpg: Can't check signature: No public key
On Tue, May 13, 2008 at 02:19:05PM +0100, Hugo Mills wrote:
> On Tue, May 13, 2008 at 08:57:50AM -0400, Andy Random wrote:
> > On Tue, 13 May 2008, Hugo Mills wrote:
> >
> > >On Tue, May 13, 2008 at 01:34:04PM +0100, Hugo Mills wrote:
> > >> This is kind of related to my talk on Saturday, but is important in
> > >>its own right:
> > >>
> > >>http://lists.debian.org/debian-security-announce/2008/msg00152.html
> > [SNIP]
> > > Sorry, forgot to mention -- this affects SSH, OpenVPN, DNSSEC and
> > >all X.509 certificates and sessions. It doesn't affect GPG keys,
> > >fortunately.
> >
> > Quoting from the link above "This is a Debian-specific vulnerability which
> > does not affect other operating systems which are not based on Debian."
> >
> > I assume this means that Ubuntu, Mepis and other Debian derivatives also
> > suffer the same issue? If so I hope they will be pushing through security
> > updates ASAP...
> 
>    I think that unless you hear otherwise, it's best to assume that
> they're affected. You could always get hold of the vulnerability
> tester given in the advisory and check your keys.

Ubuntu definitely *is* affected[1].

As far as I can tell, the best way of fixing your ssh keys is: 

 - Install the update
 - Delete the following files:
    ~/.ssh/id_*
    ~/.ssh/authorized_keys
    /etc/ssh/ssh_host_dsa_key*
    /etc/ssh/ssh_host_rsa_key*
 - Generate new host keys:
    sudo dpkg-reconfigure -plow openssh-server
    (Thanks to Adrian for pointing out the easy way)
 - Generate new personal keys:
    ssh-keygen -t rsa -b 4096
 - Restart the ssh daemon


Do this on all machines. Don't log out after deleting the host keys
(in /etc/ssh) as you won't be able to log back in by ssh.

As a precaution, I've also been regenerating the DH key exchange
moduli, which are kept in /etc/ssh/moduli. That's documented near the
bottom of the ssh-keygen man page.

I haven't looked at the X.509 situation yet.

Hugo.

[1] http://www.ubuntu.com/usn/usn-612-1 

-- 
=== Hugo Mills: hugo@... carfax.org.uk | darksatanic.net | lug.org.uk ===
  PGP key: 515C238D from wwwkeys.eu.pgp.net or http://www.carfax.org.uk
                   --- Ceci n'est pas une pipe:  | ---

This message was posted to the following mailing lists:
Hampshire LUG
Mailing List Info | Nearby Messages		<-Re: [Hampshire] OpenSSL in Debian is broken[Hampshire] Debian Universe, is it dead->
Hampshire LUG Mailing List Archive administrated by WebmasterLurker (version 2.3)