[unisog] FYI: Debian/Ubuntu SSL/SSH vulnerability, logging issues
Alexander Clouter
alex-unisog at digriz.org.uk
Thu May 22 22:59:52 GMT 2008
Hi,
Andrew Daviel <advax at triumf.ca> [20080522 15:42:28 -0700]:
>
> FYI
>
> [snipped]
>
> There is a script "dowkd.pl" available from
> http://lists.debian.org/debian-security-announce/2008/msg00152.html
> This is worth running. You need go get a file from CPAN:
> cpan> install File::Temp
>
> This can check for weak keys in users' authorized_keys files and also
> in known_hosts, /etc/ssh/keyfiles
>
Better still when you update Debian now 'openssh-blacklist' is a dependency
of openssh-server which will automatically refuse to connect you to or permit
the use of insecure keypairs. It also has the damn useful tool 'ssh-vulnkey'
that you can call with the '-a' flag as root and have it test *all* the keys
it can find on your system.
Hat's off to the Debian crew for making it very easy to find and prevent the
use of these keys.
Cheers
Alex
[1] optionally you can install 'openssh-blacklist-extra' too for a large
blacklist of less common key sizes
--
_________________________
/ Better late than never. \
| |
\ -- Titus Livius (Livy) /
-------------------------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.sans.org/pipermail/unisog/attachments/20080522/e45d8059/attachment.bin
More information about the unisog
mailing list