[unisog] FYI: Debian/Ubuntu SSL/SSH vulnerability, logging issues

Alexander Clouter alex-unisog at digriz.org.uk
Thu May 22 22:59:52 GMT 2008


Andrew Daviel <advax at triumf.ca> [20080522 15:42:28 -0700]:
> [snipped] 
> There is a script "dowkd.pl" available from
> http://lists.debian.org/debian-security-announce/2008/msg00152.html
> This is worth running. You need go get a file from CPAN:
>   cpan> install File::Temp
> This can check for weak keys in users' authorized_keys files and also 
> in known_hosts, /etc/ssh/keyfiles
Better still when you update Debian now 'openssh-blacklist' is a dependency 
of openssh-server which will automatically refuse to connect you to or permit 
the use of insecure keypairs.  It also has the damn useful tool 'ssh-vulnkey' 
that you can call with the '-a' flag as root and have it test *all* the keys 
it can find on your system.

Hat's off to the Debian crew for making it very easy to find and prevent the 
use of these keys.



[1] optionally you can install 'openssh-blacklist-extra' too for a large 
	blacklist of less common key sizes

/ Better late than never. \
|                         |
\ -- Titus Livius (Livy)  /
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.sans.org/pipermail/unisog/attachments/20080522/e45d8059/attachment.bin 

More information about the unisog mailing list