[unisog] FYI: Debian/Ubuntu SSL/SSH vulnerability, logging issues

Reed Loden reed at reedloden.com
Fri May 23 00:28:43 GMT 2008


On Thu, 22 May 2008 15:42:28 -0700 (PDT)
Andrew Daviel <advax at triumf.ca> wrote:

> There is a script "dowkd.pl" available from
> http://lists.debian.org/debian-security-announce/2008/msg00152.html
> This is worth running. You need go get a file from CPAN:
>   cpan> install File::Temp
> 
> This can check for weak keys in users' authorized_keys files and also 
> in known_hosts, /etc/ssh/keyfiles

You'd be much better off using Ubuntu's ssh-vulnkey program than the
dowkd.pl script, as it has a more expansive blacklist, checks more
things, and has less false positives. I believe they've backported it to
Debian, but I'm not 100% sure on that.

http://www.debian.org/security/key-rollover/ and
http://www.ubuntu.com/usn/ (USN-612-*) both have some great information.

~reed

-- 
Reed Loden - <reed at reedloden.com>


More information about the unisog mailing list