OpenSSL vulnerability

[rescdsk]

There's a problem in Debian's version of OpenSSL, with a predictable random number generator. The announcement is here: http://lists.debian.org/debian-secur.../msg00152.html . The problem makes key material, such as OpenVPN keys and SSH public-key authentication keys, vulnerable, and you need to replace the keys generated with old versions.

Does this problem exist on Ubuntu too?


EDIT bodhi.zazen: Adding information so that people do not need to read the entire thread for some basic information.

1. There are a few tools to check your ssh keys, most are affected so be warned.

ssh-vulnkey is included in the update of openssh-server.

On a Debian/Ubuntu box with ssh server installed :

Code:

sudo apt-get update && sudo apt-get dist-upgrade

apt-get dist-upgrade will install the packages (apt-get upgrade *may* show the packages are held).

You can then run :

Code:

sudo ssh-vulnkey -a

If you see "Not Blacklisted: xxx.yyy.zzz /path/to/key" you are ok.

The update will regenerate your server keys

2. If you are updating ssh keys on a remote server, be careful. When the ssh keys are regenerated *some* users have lost the ssh connection. If you use keys to ssh into the server, first make sure you have alternate access to the server (temporarily allow logins with password ?) until new keys are in place.

EDIT 2 bodhi.zazen: for clarification :

This vulnerability affects more then ssh, ntp, imap, pop, smtp, tls, certificate authorities for pgp, openVPN, web servers with SSL, and more. Basically, anybody that used an SSL key generated.

More info can be found at http://www.debian.org/security/key-rollover/

~ Thanks Conficio for the clarification and link

bodhi.zazen

[Monicker]

http://www.ubuntu.com/usn/usn-612-1
http://www.ubuntu.com/usn/usn-612-2


Edit: URL modified to reflect change in Ubuntu, which also gives more detail about regenerating keys.

[Tuna-Fish]

Is there a fast way to tell a computer to regenerate all the keys? How should I start doing it?

[SuperMike]

This came in the news today:

http://lists.debian.org/debian-secur.../msg00152.html

I hope we see a patch in Ubuntu soon.

[yaztromo]

Is there a fast way to tell a computer to regenerate all the keys? How should I start doing it?

I'd like to know this too.

I've upgraded the packages on my server, but do I need to do anything else?

[jojo4u]

Just watch for http://www.debian.org/security/key-rollover/

EDIT: Does dowkd.pl from the Debian advisory find something for you? The program is a bit too quiet for my taste (no output).

[yaztromo]

Is there a fast way to tell a computer to regenerate all the keys? How should I start doing it?

Okay here's how I did it for SSH. Not the most elegant way but it works.

1. Login as root or use sudo.
2. Copy your ssh configs so you can put them back later:

Code:

cp /etc/ssh/ssh_config ./
cp /etc/ssh/sshd_config ./

3. Remove purge openssh-server:

Code:

apt-get purge openssh-server

4. Reinstall openssh-server:

Code:

apt-get install openssh-server

5. While installing watch for the following output. If you see it then all is good:

Code:

Creating SSH2 RSA key; this may take some time ...
Creating SSH2 DSA key; this may take some time ...

6. Move back your old configs:

Code:

mv sshd_config /etc/ssh/
mv ssh_config /etc/ssh/

7. Restart sshd

Code:

/etc/init.d/ssh restart

Note this won't work for feisty since it has no "apt-get purge", you will need to manually delete the keys in /etc/ssh/ instead.

[jojo4u]

OK, found some old keys (gutsy or older=) and ran

Code:

perl dowkd.pl file /media/ACERDATA/LINUX/etc/ssh/*key*

/media/ACERDATA/LINUX/etc/ssh/ssh_host_dsa_key:12: warning: unparsable line
...
/media/ACERDATA/LINUX/etc/ssh/ssh_host_dsa_key.pub:1: weak key
/media/ACERDATA/LINUX/etc/ssh/ssh_host_rsa_key:1: warning: unparsable line
...
/media/ACERDATA/LINUX/etc/ssh/ssh_host_rsa_key.pub:1: weak key

[todb]

How to use dowkd.pl as a quick sniff test for machines you control or are responsible for:

Code:

todb@mazikeen:~/Desktop$ perl dowkd.pl host 10.10.10.54
# 10.10.10.54 SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1
# 10.10.10.54 SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1
10.10.10.54: weak key
10.10.10.54: weak key

Code:

todb@mazikeen:~/Desktop$ perl dowkd.pl host planb-security.net
# planb-security.net SSH-2.0-OpenSSH_5.0
# planb-security.net SSH-2.0-OpenSSH_5.0

(No hits == good)


..and for files:

Code:

todb@mazikeen:~/Desktop$ perl dowkd.pl file ~/.ssh/*
/home/todb/.ssh/known_hosts:13: weak key
/home/todb/.ssh/known_hosts:14: weak key
/home/todb/.ssh/known_hosts:22: weak key

..etc.

hth. have fun regenerating.

-tod

[jojo4u]

EDIT: The new openssh-server package fixes your keys.

About scanning your localhost for weak keys some additions to todb's post:

Code:

> perl dowkd.pl host localhost
# localhost SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1
# localhost SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1
localhost: weak key
localhost: weak key

> perl dowkd.pl file /etc/ssh/*key* 
/etc/ssh/ssh_host_dsa_key:0: open failed: Permission denied
/etc/ssh/ssh_host_dsa_key.pub:1: weak key
/etc/ssh/ssh_host_rsa_key:0: open failed: Permission denied
/etc/ssh/ssh_host_rsa_key.pub:1: weak key

After upgrade of openssh-server

Code:

> perl dowkd.pl host localhost                         
# localhost SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1.1
# localhost SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1.1

> perl dowkd.pl file /etc/ssh/*key*
/etc/ssh/ssh_host_dsa_key:0: open failed: Permission denied
/etc/ssh/ssh_host_dsa_key.broken:0: open failed: Permission denied
/etc/ssh/ssh_host_dsa_key.pub.broken:1: weak key
/etc/ssh/ssh_host_rsa_key:0: open failed: Permission denied
/etc/ssh/ssh_host_rsa_key.broken:0: open failed: Permission denied
/etc/ssh/ssh_host_rsa_key.pub.broken:1: weak key