And what has barely rated a mention is that anything you may have transmitted using SSH or SSL encryption using aforesaid weak keys may also be vulnerable to easy decryption. While a long shot, if someone has managed to capture whole packet traces of such a conversation, it might be a relatively easy (compared to using non-weak keys) brute force exercise to decode the traffic simply by trying all of the 32767 possible weak keys (this applies to SSH - not sure about SSL - though for self-signed certificates it could well be the same level of risk).
Of course, capturing traffic between client and server across the internet is not easy unless the bad guys are located in a carrier and an ISP, so the risk here is probably quite small. Regards, Martin On Fri, May 16, 2008 at 9:30 AM, Jeff Waugh <[EMAIL PROTECTED]> wrote: > <quote who="Peter Chubb"> > >> Just in case anyone missed it, there's been a major vulnerability for >> any SSH keys generated on a debian system over the last two years or >> so ... apparently the random number generator wasn't being seeded >> right, so only a few distinct keys were actually generated. >> >> The AARNET mirror doesn't have the updated packages as of this >> morning, but the Optusnet mirror does ... I suggest that >> -- you install the new openssh-client package (version 1:4.7p1-9 on >> unstable) >> -- run ssh-vulnkey -a as root to find any vulnerable keys, and get >> your users to fix them. > > ... and anyone running a machine that accepts ssh key authentication, even > if it's not running Debian, has to care about this. Check the keys that are > being used to authenticate to your hosts, and consider your recovery options > carefully given that we can't detect all of the vulnerable keys. > > - Jeff > > -- > OSCON 2008: Portland OR, USA http://conferences.oreilly.com/oscon/ > > "GNOME, launched specifically to counter a threat to our freedom, is > the free software project par excellence." - Richard Stallman > -- > SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ > Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html > -- Regards, Martin Martin Visser -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
