-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Florian Weimer wrote: | ------------------------------------------------------------------------ | Debian Security Advisory DSA-1576-1 [EMAIL PROTECTED] | http://www.debian.org/security/ Florian Weimer | May 14, 2008 http://www.debian.org/security/faq | ------------------------------------------------------------------------ | | Package : openssh | Vulnerability : predictable random number generator | Problem type : remote | Debian-specific: yes | CVE Id(s) : CVE-2008-0166 | | The recently announced vulnerability in Debian's openssl package | (DSA-1571-1, CVE-2008-0166) indirectly affects OpenSSH. As a result, | all user and host keys generated using broken versions of the openssl | package must be considered untrustworthy, even after the openssl update | has been applied. | | 1. Install the security updates | | This update contains a dependency on the openssl update and will | automatically install a corrected version of the libss0.9.8 package, | and a new package openssh-blacklist. | | Once the update is applied, weak user keys will be automatically | rejected where possible (though they cannot be detected in all | cases). If you are using such keys for user authentication, they | will immediately stop working and will need to be replaced (see | step 3). | | OpenSSH host keys can be automatically regenerated when the OpenSSH | security update is applied. The update will prompt for confirmation | before taking this step. | | 2. Update OpenSSH known_hosts files | | The regeneration of host keys will cause a warning to be displayed when | connecting to the system using SSH until the host key is updated in the | known_hosts file. The warning will look like this: | | @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ | @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ | @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ | IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! | Someone could be eavesdropping on you right now (man-in-the-middle attack)! | It is also possible that the RSA host key has just been changed. | | In this case, the host key has simply been changed, and you should update | the relevant known_hosts file as indicated in the error message. | | It is recommended that you use a trustworthy channel to exchange the | server key. It is found in the file /etc/ssh/ssh_host_rsa_key.pub on | the server; it's fingerprint can be printed using the command: | | ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub | | In addition to user-specific known_hosts files, there may be a | system-wide known hosts file /etc/ssh/known_hosts. This is file is | used both by the ssh client and by sshd for the hosts.equiv | functionality. This file needs to be updated as well. | | 3. Check all OpenSSH user keys | | The safest course of action is to regenerate all OpenSSH user keys, | except where it can be established to a high degree of certainty that the | key was generated on an unaffected system. | | Check whether your key is affected by running the ssh-vulnkey tool, included | in the security update. By default, ssh-vulnkey will check the standard | location for user keys (~/.ssh/id_rsa, ~/.ssh/id_dsa and ~/.ssh/identity), | your authorized_keys file (~/.ssh/authorized_keys and | ~/.ssh/authorized_keys2), and the system's host keys | (/etc/ssh/ssh_host_dsa_key and /etc/ssh/ssh_host_rsa_key). | | To check all your own keys, assuming they are in the standard | locations (~/.ssh/id_rsa, ~/.ssh/id_dsa, or ~/.ssh/identity): | | ssh-vulnkey | | To check all keys on your system: | | sudo ssh-vulnkey -a | | To check a key in a non-standard location: | | ssh-vulnkey /path/to/key | After installing the update, i cant find the command "ssh-vulnkey". The command "sudo: ssh-vulnkey" returns: "sudo: ssh-vulnkey: command not found" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIKrjMGKDIyHq95b4RAvrcAKCIIg6UKxDqVEmnM6RnGT8nI688/ACdHt3O /TXn9ofjkqFxzBOCr0Yj2Ps= =fuBH -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
