OpenSSL expoit

I am sure you have all ready about the OpenSSL exploit that was recently found in Debian:
http://lists.debian.org/debian-security-announce/2008/msg00152.html

It is worth noting that the exploit affects any keys that were built on a debian box after sarge (so etch, lenny, current sid). This also means that any box that has those keys as an authentication method is vulnerable too:

http://blog.drinsama.de/erich/en/linux/2008051401-consequences-of-sslssh-weakness.html

Because any of those boxes could already be compromised, if you are paranoid you should be careful about logging in with passwords to them too – basically if you are paranoid then you can’t really trust anything (so business as normal for paranoid people)

In order to fix your keys, you should probably do the following (thanks to Hugo Mills)

on all boxes you own

  • Install the patch
  • Delete the following files if the host keys are likely to be vulnerable:
    • /etc/ssh/ssh_host_dsa_key*
    • /etc/ssh/ssh_host_rsa_key*
  • Generate new host keys:
    • sudo dpkg-reconfigure -plow openssh-server
  • Restart the ssh daemon

And on all boxes you have access to via keys

  • Delete the following files:
    • ~/.ssh/authorized_keys
    • ~/.ssh/id_*
  • Generate new personal keys:
    • ssh-keygen -t rsa -b 4096

About Anton Piatek

Professional bit herder, amateur photographer. Linux and tech geek
This entry was posted in Debian, Linux. Bookmark the permalink.

Leave a Reply