DragonFly kernel List (threaded) for 2008-05
HEADS UP: blacklisting of weak ssh keys
By now every administrator and/or ssh user should have heard about the
bug in debian's ssl library. If you've been offline for the past few days,
While our OpenSSL library does not suffer from this bug, it possible that
some of your users have generated their keys on a buggy debian or
debian-derivative (e.g. Ubuntu) system. This would mean their account can be
easily compromised by a brute-force attack because of the relatively small
number of keys that need to be tried.
Today Simon updated our openssh to have the server reject any of the
blacklisted keys by default. This may mean that some users will no longer be
able to log in remotely, but the alternative is to leave the machine
vulnerable to any of the key scanners circulating on the internet. If for
some reason you need to allow the compromised keys you can set
PermitBlacklistedKeys to Yes in your sshd_config.
Also included in the update is the ssh-vulnkey program which you can use to
compare the keys in your user accounts to the blacklist. Please note that the
blacklist is not yet exhaustive; at the moment it covers only the keys
created with the most common key generation parameters.
It is strongly recommended that you upgrade your server (by rebuilding world)
as soon as possible and remove any weak keys from the ~/.ssh/authorized_keys
file. After this, you will have to arrange for any affected users to install
new, properly generated, ssh keys.
Any SSL certificates generated in the vulnerability window (2006-09-17 to now)
on a debian system will have to be replaced as well.