DragonFly users List (threaded) for 2008-05
Re: HEADS UP: blacklisting of weak ssh keys
:By now every administrator and/or ssh user should have heard about the
:bug in debian's ssl library. If you've been offline for the past few days,
:While our OpenSSL library does not suffer from this bug, it possible that
:some of your users have generated their keys on a buggy debian or
:debian-derivative (e.g. Ubuntu) system. This would mean their account can be
:easily compromised by a brute-force attack because of the relatively small
:number of keys that need to be tried.
:Today Simon updated our openssh to have the server reject any of the
:blacklisted keys by default. This may mean that some users will no longer be
:able to log in remotely, but the alternative is to leave the machine
:vulnerable to any of the key scanners circulating on the internet. If for
:some reason you need to allow the compromised keys you can set
:PermitBlacklistedKeys to Yes in your sshd_config.
:Also included in the update is the ssh-vulnkey program which you can use to
:compare the keys in your user accounts to the blacklist. Please note that the
:blacklist is not yet exhaustive; at the moment it covers only the keys
:created with the most common key generation parameters.
:It is strongly recommended that you upgrade your server (by rebuilding world)
:as soon as possible and remove any weak keys from the ~/.ssh/authorized_keys
:file. After this, you will have to arrange for any affected users to install
:new, properly generated, ssh keys.
:Any SSL certificates generated in the vulnerability window (2006-09-17 to now)
:on a debian system will have to be replaced as well.
I am downloading the key fingerprings debian published and will run it
against all the accounts on leaf, pkgbox, and other machines.