[unisog] FYI: Debian/Ubuntu SSL/SSH vulnerability, logging issues
Andrew Daviel
advax at triumf.ca
Thu May 22 22:42:28 GMT 2008
FYI
We have been promoting the use of encrypted transport (i.e. SSH for shell
login) for years now, and I have been promoting public-key-based SSH
authentication for some time since the rise of dictionary-based attacks
and a security incident here involving an LKM rootkit.
Recently a problem was found in the Debian and Ubuntu Linux
implementations, meaning that the login method I believed to be the most
secure is in fact exploitable (I recommend that keys be further locked
down by listing allowable addresses, but few users do that).
If you have a recent Debian or Ubuntu system, running the
"etch" release (since September 2006), and have used it to generate an
SSH key used for access on any system (i.e. done "ssh-keygen" and placed a key in
.ssh/authorized_keys) :
1) upgrade OpenSSL on your system to a secure version (see e.g.
http://www.ubuntu.com/usn/usn-612-6)
2) Delete the weak key from authorized_keys
3) Generate a new keypair and install the public key
A weak key cam be brute-forced (guessed) in about 20 minutes; I have
verified this personally.
Standard OpenSSH server (sshd) does not log failed attempts unless
Loglevel=verbose is set in sshd_config, if login
attempts are made with PasswordAuthentication=no.
There is a script "dowkd.pl" available from
http://lists.debian.org/debian-security-announce/2008/msg00152.html
This is worth running. You need go get a file from CPAN:
cpan> install File::Temp
This can check for weak keys in users' authorized_keys files and also
in known_hosts, /etc/ssh/keyfiles
SSL certificates generated on affected systems will also exhibit some
vulnerability. At least one commercial certificate authority is replacing
affected certificates for free.
--
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376 (Pacific Time)
Network Security Manager
More information about the unisog
mailing list