A Debian "improvement" to the stock openssh code has introduced a bug
which means that the number of possible keys is reduced by a massive
factor, from longer-than-all-the-time-in-the-universe for a brute force
attack, to about-as-long-as-it-takes-the-kettle-to-boil.
See: http://www.ubuntu.com/usn/usn-612-2
There are updates, but the problem is that fixing the cause of bad keys
doesn't in itself fix the bad keys. Ubuntu have written a tool (which is
included in the updates) to detect and replace bad keys, with the effect
that next time you SSH into that server you find that the key has
changed and you need to update ~/.ssh/known_hosts.
However I found that the updates wouldn't install; openssh-server and
openssh-client were being "held back". To fix this, I had to do:
sudo apt-get update
sudo apt-get install openssh-blacklist
sudo apt-get upgrade
Does this affect anyone here? Almost everyone using Ubuntu, I'd say. The
implication is not, however, that an attacker can just get into your
system; what it does mean is that protection against "man-in-the-middle"
attacks is pretty much removed (where someone sits between you and your
server intercepting your passwords etc). So everyone should be updating
- this is a major flaw, introduced by someone being "helpful" at Debian
by "fixing" code that wasn't broken in the core distribution. Not a good
day for Debian's security reputation, it has to be said.
Ubuntu 7.04, 7.10 and 8.04 are all affected.
[Anyone with a better grasp of the implications please feel free to
correct/update this.]
--
Mark Rogers // More Solutions Ltd (Peterborough Office) // 0845 45 89 555
Registered in England (0456 0902) at 13 Clarke Rd, Milton Keynes, MK1 1LG
_______________________________________________
Peterboro mailing list
[email protected]
https://mailman.lug.org.uk/mailman/listinfo/peterboro
