gpg: failed to create temporary file '/var/lib/lurker/.#lk0x56843100.hantslug.org.uk.31150': Permission denied
gpg: keyblock resource '/var/lib/lurker/pubring.gpg': Permission denied
gpg: Signature made Tue May 13 20:12:26 2008 BST
gpg: using DSA key 20ACB3BE515C238D
gpg: Can't check signature: No public key
On Tue, May 13, 2008 at 02:19:05PM +0100, Hugo Mills wrote:
> On Tue, May 13, 2008 at 08:57:50AM -0400, Andy Random wrote:
> > On Tue, 13 May 2008, Hugo Mills wrote:
> >
> > >On Tue, May 13, 2008 at 01:34:04PM +0100, Hugo Mills wrote:
> > >> This is kind of related to my talk on Saturday, but is important in
> > >>its own right:
> > >>
> > >>http://lists.debian.org/debian-security-announce/2008/msg00152.html
> > [SNIP]
> > > Sorry, forgot to mention -- this affects SSH, OpenVPN, DNSSEC and
> > >all X.509 certificates and sessions. It doesn't affect GPG keys,
> > >fortunately.
> >
> > Quoting from the link above "This is a Debian-specific vulnerability which
> > does not affect other operating systems which are not based on Debian."
> >
> > I assume this means that Ubuntu, Mepis and other Debian derivatives also
> > suffer the same issue? If so I hope they will be pushing through security
> > updates ASAP...
>
> I think that unless you hear otherwise, it's best to assume that
> they're affected. You could always get hold of the vulnerability
> tester given in the advisory and check your keys.
Ubuntu definitely *is* affected[1].
As far as I can tell, the best way of fixing your ssh keys is:
- Install the update
- Delete the following files:
~/.ssh/id_*
~/.ssh/authorized_keys
/etc/ssh/ssh_host_dsa_key*
/etc/ssh/ssh_host_rsa_key*
- Generate new host keys:
sudo dpkg-reconfigure -plow openssh-server
(Thanks to Adrian for pointing out the easy way)
- Generate new personal keys:
ssh-keygen -t rsa -b 4096
- Restart the ssh daemon
Do this on all machines. Don't log out after deleting the host keys
(in /etc/ssh) as you won't be able to log back in by ssh.
As a precaution, I've also been regenerating the DH key exchange
moduli, which are kept in /etc/ssh/moduli. That's documented near the
bottom of the ssh-keygen man page.
I haven't looked at the X.509 situation yet.
Hugo.
[1]
http://www.ubuntu.com/usn/usn-612-1
--
=== Hugo Mills: hugo@... carfax.org.uk | darksatanic.net | lug.org.uk ===
PGP key: 515C238D from wwwkeys.eu.pgp.net or http://www.carfax.org.uk
--- Ceci n'est pas une pipe: | ---