Read this if you have a GNOME (ssh) account and it isn’t working and you want to know why.
Due to Debian security issue we’ve locked down the machines for public key authentication. See the announcement by Guilherme de S. Pastore to devel-announce-list below. Please ensure you’re subscribed to that list (as we expect people to be)! Generally announcements are spread via Planet GNOME as well, but that is more of an extra service. Please contact [EMAIL PROTECTED] if you have either: * Used a DSA key on a Debian/Ubuntu machine affected by the security * issue * Generated a DSA/RSA key on an affected Debian/Ubuntu machine Note: If you have a DSA key generated on a non-Debianb/Ubuntu (e.g. Red Hat) distribution (or whatever) and used it on a affected Debian/Ubuntu machine (meaning: ssh’ed from that machine, not to such a machine), you are affected as well. So please replace your key in such cases as well. Current plan: We’ll (well, Owen) remove all blacklisted SSH keys that we can find and inform affected people. This to avoid greatest security issues. Not sure yet what we’ll do about the DSA keys (they could be compromised now or in future whenever they’re used on an affected Debian/Ubuntu machine). Closing: I’m unfortunately way too busy to really help the sysadmins working on this.. plus the accounts people replacing the SSH keys. Thanks to everyone who’s helping. On Wed, May 14, 2008 at 10:52:29PM -0500, Guilherme de S. Pastore wrote: > As some of you have probably been made aware of somehow by now, the > Debian openssl package introduced an incorrect change in version > 0.9.8c-1, available since September 2007 and distributed with the > current stable release "etch", which resulted in the output of the > random number generator being predictable, as per CVE-2008-0166. > > That directly affects openssh, and any key generated on Debian or > Debian-derived systems from then until the recent security updates (on > Debian, versions 0.9.8c-4etch3 or 0.9.8g-9) is deemed potentially > compromised. > > It should be obvious from the start that we are exposed to risk by the > number of developers we have that use Debian or Ubuntu systems, and we > have run individual tests to reach the conclusion that we do, indeed, > have this kind of key installed on the GNOME servers. Hence, I regret to > inform that key authentication to GNOME machines has been disabled some > minutes ago for safety. We will be working into putting mechanisms into > place that allow for blacklisting upon authentication, so that the > insecure keys are selectively disabled and we can resume normal operation > as soon as possible. > > It is worth noting, however, that, for all we currently know, not all > cases can be detected by the algorithms we have, which would make it > insufficient to just remove the keys we know to be broken or blacklist > them. Therefore, it is EXTREMELY important that, if you think your key > has been generated in a system affected by this bug at the time, you > have your system updated, regenerate your SSH keys and get them replaced > by mailing [EMAIL PROTECTED] > > The Infrastructure Team may see a need to go a bit further than I have > described in due course, but new announcements will be sent out if that > is the case. > > We are sorry for the inconvenience, and hope not to have to disturb > development for long or delay the next tarballs due date. > > Yours, > > -- > Guilherme de S. Pastore > The GNOME Sysadmin Team > _______________________________________________ > gnome-hackers mailing list > [EMAIL PROTECTED] > http://mail.gnome.org/mailman/listinfo/gnome-hackers -- Regards, Olav -- devel-announce-list mailing list [email protected] http://mail.gnome.org/mailman/listinfo/devel-announce-list
