-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday, 15.05.2008 at 07:11 +0200, Otto Moerbeek wrote:
> On Wed, May 14, 2008 at 07:43:25PM -0700, Darrin Chandler wrote: > > > On Wed, May 14, 2008 at 10:22:11PM -0400, Ted Unangst wrote: > > > On 5/14/08, Ben Calvert <[EMAIL PROTECTED]> wrote: > > > > On May 14, 2008, at 5:22 PM, Darrin Chandler wrote: > > > > > Are you sure that's a decent analysis? If you have a > > > > > non-debian system with the full number of keys available, what > > > > > are the chances that you've landed on one of the 32767 keys? > > > > > Not very likely. So that analysis seems alarmist and > > > > > sensational to me. > > > > > > Because nobody would ever run ssh-keygen on their ubuntu desktop > > > and copy that to authorized_keys on another computer. > > > > Sure. Lots of those keys out there already. So is something like > > ssh-vulnkey the right approach? I do have a couple of users on one > > of my boxes. Mind, they're all good OpenBSD people and I really hope > > their keys didn't come from a debian box. It'll be nice to find out > > that the keys are ok. > > You can use the perl script in the debian announcement to check host > keys and user keys. For info Debian (and thus also Ubuntu) have released updated openssh packages which include a new tool called ssh-vulnkey which can be used to check the running system[1] for vulnerable keys: ssh-vulnkey works similarly to the Perl script in the Debian announcement. The package has also had an additional option added to sshd_config which blacklists (i.e. stops use of) these vulnerable keys. Once updated, Debian and Ubuntu systems will reject connections based on these vulnerable keys. One of my machines at home is an Ubuntu laptop and my OpenBSD box had a copy of its public key in ~/.ssh/authorized_keys so that logging into it is simpler from the laptop - if this box were exposed to the world, then it would only take 32,000 attempts to get into it, if my username is known. I've removed the vulnerable public key from the OpenBSD box now. I believe the original assessment was correct: *all* systems running SSH ought to check for these vulnerable keys, not just those systems running Debian or derivatives. Yes, it's Debian's "fault", but we all have to manage the consequences. If only Debian and Ubuntu's openssh is updated, then they will be *more* secure than non-updated OpenBSD, Solaris, Red Hat Linux etc. Cheers, Dave. [1] It checks host keys and also the contents of authorized_keys - -- Dave Ewart iD8DBQFIK/wbbpQs/WlN43ARAnKvAJ4pYbbhW4pCYvp7hqApTCqr43BWmwCg864Q xBTY5bfIl4KLiSsYsDMplS8= =5mhX -----END PGP SIGNATURE-----
