Re: [SLUG] Anyone else having problems with Ubuntu's latest openvpn?
On Thu, May 15, 2008 at 07:39:01 +1000, Mary Gardiner wrote: I haven't tried OpenVPN yet, but a new security advisory came out this morning saying A regression was introduced in OpenVPN when using TLS and multi-client/server which caused OpenVPN to not start when using valid SSL certificates... It was also found that openssl-vulnkey from That was it. I've applied the latest update and my vpn now works again :-) Now, does anyone know why, if the problem is that only the 15-bit PID was used for entropy when these vulnerable keys were generated, the blacklists contain more than 2^15 keys? The 2048-bit RSA and 1024-bit DSA blacklists each have 98307 entries, and the openvpn blacklist has 98304. H.D. Moore's lists of ssh keys contain only 32K keys each, as I'd expect (http://metasploit.com/users/hdm/tools/debian-openssl/). The reason I ask is that I've generated 32K limited-entropy 1024-bit RSA keys for a blacklist to check some keys we use internally (although it's extremely unlikely any of them were generated on a vulnerable system), and I was wondering if I should be generating more somehow. And if anyone wants my blacklist, let me know I'll make it available. Thanks, John -- I've had attacks of diarrhea that were cleaner than VisualBasic. -- Lionel Lauer -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] Debian SSH vulnerability: act now!
Just in case anyone missed it, there's been a major vulnerability for any SSH keys generated on a debian system over the last two years or so ... apparently the random number generator wasn't being seeded right, so only a few distinct keys were actually generated. The AARNET mirror doesn't have the updated packages as of this morning, but the Optusnet mirror does ... I suggest that -- you install the new openssh-client package (version 1:4.7p1-9 on unstable) -- run ssh-vulnkey -a as root to find any vulnerable keys, and get your users to fix them. -- Dr Peter Chubb http://www.gelato.unsw.edu.au peterc AT gelato.unsw.edu.au http://www.ertos.nicta.com.au ERTOS within National ICT Australia -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Debian SSH vulnerability: act now!
quote who=Peter Chubb Just in case anyone missed it, there's been a major vulnerability for any SSH keys generated on a debian system over the last two years or so ... apparently the random number generator wasn't being seeded right, so only a few distinct keys were actually generated. The AARNET mirror doesn't have the updated packages as of this morning, but the Optusnet mirror does ... I suggest that -- you install the new openssh-client package (version 1:4.7p1-9 on unstable) -- run ssh-vulnkey -a as root to find any vulnerable keys, and get your users to fix them. ... and anyone running a machine that accepts ssh key authentication, even if it's not running Debian, has to care about this. Check the keys that are being used to authenticate to your hosts, and consider your recovery options carefully given that we can't detect all of the vulnerable keys. - Jeff -- OSCON 2008: Portland OR, USA http://conferences.oreilly.com/oscon/ GNOME, launched specifically to counter a threat to our freedom, is the free software project par excellence. - Richard Stallman -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Debian SSH vulnerability: act now!
On Fri, May 16, 2008 at 09:24:00AM +1000, Peter Chubb wrote: Just in case anyone missed it, there's been a major vulnerability for any SSH keys generated on a debian system over the last two years or so ... apparently the random number generator wasn't being seeded right, so only a few distinct keys were actually generated. The AARNET mirror doesn't have the updated packages as of this morning, but the Optusnet mirror does ... I suggest that -- you install the new openssh-client package (version 1:4.7p1-9 on unstable) -- run ssh-vulnkey -a as root to find any vulnerable keys, and get your users to fix them. This also includes any certificates created by openssl (apache, exim, postfix). its a pain but this is a link to the ubunto ssl checker https://launchpad.net/ubuntu/+source/openssl-blacklist/ -- Dr Peter Chubb http://www.gelato.unsw.edu.au peterc AT gelato.unsw.edu.au http://www.ertos.nicta.com.au ERTOS within National ICT Australia -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html -- Better dead than mellow. signature.asc Description: Digital signature -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Debian SSH vulnerability: act now!
For people not using debian, the ssh-vulnkey logic has been repackaged with dependencies as a CPAN distribution and should be installable anywhere that has a Perl installation, including on Windows using Strawberry Perl (http://strawberryperl.com). http://search.cpan.org/dist/Dowse-BadSSH/ The package is going through a couple of releases a day as it gets tweaked and cross-platform bugs are excised, so if you have any difficulties with it, wait 24 hours or so and try again. Adam K Peter Chubb wrote: Just in case anyone missed it, there's been a major vulnerability for any SSH keys generated on a debian system over the last two years or so ... apparently the random number generator wasn't being seeded right, so only a few distinct keys were actually generated. The AARNET mirror doesn't have the updated packages as of this morning, but the Optusnet mirror does ... I suggest that -- you install the new openssh-client package (version 1:4.7p1-9 on unstable) -- run ssh-vulnkey -a as root to find any vulnerable keys, and get your users to fix them. -- Dr Peter Chubb http://www.gelato.unsw.edu.au peterc AT gelato.unsw.edu.au http://www.ertos.nicta.com.au ERTOS within National ICT Australia -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Debian SSH vulnerability: act now!
Peter Chubb wrote: Just in case anyone missed it, there's been a major vulnerability for any SSH keys generated on a debian system over the last two years or so ... apparently the random number generator wasn't being seeded right, so only a few distinct keys were actually generated. For ubuntu systems, dapper is not affected, so aside from compromised keys being introduced there, if you are on LTS, you should be mostly OK. But check anyway. What a pain in the arse eh dave -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] Minimum username length?
Folks. Anyone know if there is a default minimum username length for some (or all) current Linux distros? I have a vague recall from somewhere it's 4 characters minimum - but can't find any documentation to back this up. DaZZa -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Minimum username length?
On Fri, 2008-05-16 at 14:35 +1000, DaZZa wrote: Anyone know if there is a default minimum username length for some (or all) current Linux distros? I have a vague recall from somewhere it's 4 characters minimum - but can't find any documentation to back this up. My copy of O'Reilly's Practical UNIX and Internet Security (3rd edition) says that standard passwords are 1-8 characters, although modern systems will allow longer. Most of my work involves debian, and RHEL of varying ages. They all have system users with short names (bin, sys, lp and the like). The only time I've seen a single-character username was one added by a dodgy rootkit. -- Pete -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Debian SSH vulnerability: act now!
And what has barely rated a mention is that anything you may have transmitted using SSH or SSL encryption using aforesaid weak keys may also be vulnerable to easy decryption. While a long shot, if someone has managed to capture whole packet traces of such a conversation, it might be a relatively easy (compared to using non-weak keys) brute force exercise to decode the traffic simply by trying all of the 32767 possible weak keys (this applies to SSH - not sure about SSL - though for self-signed certificates it could well be the same level of risk). Of course, capturing traffic between client and server across the internet is not easy unless the bad guys are located in a carrier and an ISP, so the risk here is probably quite small. Regards, Martin On Fri, May 16, 2008 at 9:30 AM, Jeff Waugh [EMAIL PROTECTED] wrote: quote who=Peter Chubb Just in case anyone missed it, there's been a major vulnerability for any SSH keys generated on a debian system over the last two years or so ... apparently the random number generator wasn't being seeded right, so only a few distinct keys were actually generated. The AARNET mirror doesn't have the updated packages as of this morning, but the Optusnet mirror does ... I suggest that -- you install the new openssh-client package (version 1:4.7p1-9 on unstable) -- run ssh-vulnkey -a as root to find any vulnerable keys, and get your users to fix them. ... and anyone running a machine that accepts ssh key authentication, even if it's not running Debian, has to care about this. Check the keys that are being used to authenticate to your hosts, and consider your recovery options carefully given that we can't detect all of the vulnerable keys. - Jeff -- OSCON 2008: Portland OR, USA http://conferences.oreilly.com/oscon/ GNOME, launched specifically to counter a threat to our freedom, is the free software project par excellence. - Richard Stallman -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html -- Regards, Martin Martin Visser -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Debian SSH vulnerability: act now!
On Fri, 2008-05-16 at 09:24 +1000, Peter Chubb wrote: Just in case anyone missed it, there's been a major vulnerability for any SSH keys generated on a debian system over the last two years or so ... apparently the random number generator wasn't being seeded right, so only a few distinct keys were actually generated. Today's XKCD sums up my feelings on the matter quite nicely. http://xkcd.com/424/ -- Pete -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] syntax color for div tags
Hi. Anyone know of a way to color matching div tags in html? I use vim. Kind regards. -- Luke Vanderfluit Analyst / Web Programmer e3Learning.com.au 08 8221 6422 -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
