[unisog] FYI: Debian/Ubuntu SSL/SSH vulnerability, logging issues
Reed Loden
reed at reedloden.com
Fri May 23 00:28:43 GMT 2008
On Thu, 22 May 2008 15:42:28 -0700 (PDT)
Andrew Daviel <advax at triumf.ca> wrote:
> There is a script "dowkd.pl" available from
> http://lists.debian.org/debian-security-announce/2008/msg00152.html
> This is worth running. You need go get a file from CPAN:
> cpan> install File::Temp
>
> This can check for weak keys in users' authorized_keys files and also
> in known_hosts, /etc/ssh/keyfiles
You'd be much better off using Ubuntu's ssh-vulnkey program than the
dowkd.pl script, as it has a more expansive blacklist, checks more
things, and has less false positives. I believe they've backported it to
Debian, but I'm not 100% sure on that.
http://www.debian.org/security/key-rollover/ and
http://www.ubuntu.com/usn/ (USN-612-*) both have some great information.
~reed
--
Reed Loden - <reed at reedloden.com>
More information about the unisog
mailing list