[unisog] FYI: Debian/Ubuntu SSL/SSH vulnerability, logging issues
alex-unisog at digriz.org.uk
Thu May 22 22:59:52 GMT 2008
Andrew Daviel <advax at triumf.ca> [20080522 15:42:28 -0700]:
> There is a script "dowkd.pl" available from
> This is worth running. You need go get a file from CPAN:
> cpan> install File::Temp
> This can check for weak keys in users' authorized_keys files and also
> in known_hosts, /etc/ssh/keyfiles
Better still when you update Debian now 'openssh-blacklist' is a dependency
of openssh-server which will automatically refuse to connect you to or permit
the use of insecure keypairs. It also has the damn useful tool 'ssh-vulnkey'
that you can call with the '-a' flag as root and have it test *all* the keys
it can find on your system.
Hat's off to the Debian crew for making it very easy to find and prevent the
use of these keys.
 optionally you can install 'openssh-blacklist-extra' too for a large
blacklist of less common key sizes
/ Better late than never. \
\ -- Titus Livius (Livy) /
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: Digital signature
Url : http://lists.sans.org/pipermail/unisog/attachments/20080522/e45d8059/attachment.bin
More information about the unisog