NOTE: still can't log in? you'll get mail shortly
On Fri, May 16, 2008 at 09:46:08AM +0200, Olav Vitters wrote: > Read this if you have a GNOME (ssh) account and it isn’t working and you > want to know why. > > Due to Debian security issue we’ve locked down the machines for public > key authentication. See the announcement by Guilherme de S. Pastore to > devel-announce-list below. Please ensure you’re subscribed to that list > (as we expect people to be)! Generally announcements are spread via > Planet GNOME as well, but that is more of an extra service. > > Please contact [EMAIL PROTECTED] if you have either: > * Used a DSA key on a Debian/Ubuntu machine affected by the security > * issue > * Generated a DSA/RSA key on an affected Debian/Ubuntu machine > > Note: If you have a DSA key generated on a non-Debianb/Ubuntu (e.g. Red > Hat) distribution (or whatever) and used it on a affected Debian/Ubuntu > machine (meaning: ssh’ed from that machine, not to such a machine), you > are affected as well. So please replace your key in such cases as well. > > Current plan: We’ll (well, Owen) remove all blacklisted SSH keys that we > can find and inform affected people. This to avoid greatest security > issues. Not sure yet what we’ll do about the DSA keys (they could be > compromised now or in future whenever they’re used on an affected > Debian/Ubuntu machine). > > Closing: I’m unfortunately way too busy to really help the sysadmins > working on this.. plus the accounts people replacing the SSH keys. > Thanks to everyone who’s helping. > > On Wed, May 14, 2008 at 10:52:29PM -0500, Guilherme de S. Pastore wrote: > > As some of you have probably been made aware of somehow by now, the > > Debian openssl package introduced an incorrect change in version > > 0.9.8c-1, available since September 2007 and distributed with the > > current stable release "etch", which resulted in the output of the > > random number generator being predictable, as per CVE-2008-0166. > > > > That directly affects openssh, and any key generated on Debian or > > Debian-derived systems from then until the recent security updates (on > > Debian, versions 0.9.8c-4etch3 or 0.9.8g-9) is deemed potentially > > compromised. > > > > It should be obvious from the start that we are exposed to risk by the > > number of developers we have that use Debian or Ubuntu systems, and we > > have run individual tests to reach the conclusion that we do, indeed, > > have this kind of key installed on the GNOME servers. Hence, I regret to > > inform that key authentication to GNOME machines has been disabled some > > minutes ago for safety. We will be working into putting mechanisms into > > place that allow for blacklisting upon authentication, so that the > > insecure keys are selectively disabled and we can resume normal operation > > as soon as possible. > > > > It is worth noting, however, that, for all we currently know, not all > > cases can be detected by the algorithms we have, which would make it > > insufficient to just remove the keys we know to be broken or blacklist > > them. Therefore, it is EXTREMELY important that, if you think your key > > has been generated in a system affected by this bug at the time, you > > have your system updated, regenerate your SSH keys and get them replaced > > by mailing [EMAIL PROTECTED] > > > > The Infrastructure Team may see a need to go a bit further than I have > > described in due course, but new announcements will be sent out if that > > is the case. > > > > We are sorry for the inconvenience, and hope not to have to disturb > > development for long or delay the next tarballs due date. > > > > Yours, > > > > -- > > Guilherme de S. Pastore > > The GNOME Sysadmin Team > > _______________________________________________ > > gnome-hackers mailing list > > [EMAIL PROTECTED] > > http://mail.gnome.org/mailman/listinfo/gnome-hackers > > -- > Regards, > Olav > _______________________________________________ > gnome-hackers mailing list > [EMAIL PROTECTED] > http://mail.gnome.org/mailman/listinfo/gnome-hackers -- Regards, Olav -- devel-announce-list mailing list [email protected] http://mail.gnome.org/mailman/listinfo/devel-announce-list
