On 5/15/08, Robert Lewko <[EMAIL PROTECTED]> wrote: > On Thu, May 15, 2008 at 3:13 PM, Mark Carlson <[EMAIL PROTECTED]> wrote: > > If you don't use have any password-less logins set up, no need to > > worry (unless you generated your own SSL certs on these systems, which > > is also affected, so regenerate those too.) > > > > http://isc.sans.org/diary.html?storyid=4420 > > > > The meat of it: > > > > "It is obvious that this is highly critical – if you are running a > > Debian or Ubuntu system, and you are using keys for SSH authentication > > (ironically, that's something we've been recommending for a long > > time), and those keys were generated between September 2006 and May > > 13th 2008 then you are vulnerable. In other words, those secure > > systems can be very easily brute forced. What's even worse, H D Moore > > said that he will soon release a brute force tool that will allow an > > attacker easy access to any SSH account that uses public key > > authentication." > > > > Whoops! If your SSH port faces the outside world and you have a > > vulnerable key, this basically means that all someone has to do is > > guess your username and a flurry of connection attempts later... > > owned! (And may $deity help you if you have a key set up for root!) > > > > Do not delay. Get the updated version and regenerate your keys NOW! > > > > -Mark C. > > > Mark, if you are running dapper on a box on the internet, does that > mean that its not sufficient to do the "apt-get update; apt-get > upgrade"? Do you also have to use ssh-keygen to replace the keys in > /etc/ssh and do that manually. > > I have two users on this machine - no password or key for root. Do I have > to: > cp /dev/null .ssh/authorized_keys > > get back to my client machine and: > > ssh-keygen -t ... > ssh-copy-id ... > > to put a new key on the server machine?
Here are the debian and ubuntu announcements: http://lists.debian.org/debian-security-announce/2008/msg00152.html https://lists.ubuntu.com/archives/ubuntu-security-announce/2008-May/000705.html I'm not sure the files /home/user/.ssh/id_* are re-generated by the update to the ssh package. Under normal circumstances, this would be devastating! There are upgrade instructions for Ubuntu here that imply you need to run ssh-keygen yourself if you've generated your own keys in the past: http://www.ubuntu.com/usn/usn-612-2 I'm not sure about Dapper, since the Debian announcement only talk about Etch. -Mark C. _______________________________________________ clug-talk mailing list [email protected] http://clug.ca/mailman/listinfo/clug-talk_clug.ca Mailing List Guidelines (http://clug.ca/ml_guidelines.php) **Please remove these lines when replying
