> > > > > *cough cough* > > > > > > > > > http://perimetergrid.com/wp/2008/05/17/ubuntudebian-crng-cracked-ssh-vulnerable/ > > > > Missed that one. Seems to be limited to Debian's RNG, and affects > > only the key generation process, not the protocol itself. > > > > > > > quite correct. point being, even SSH keys aren't perfect.
Huh, that's interesting. Although the bug that was created, ironically enough by a erroneous bug fix, affects SSH Keys due to the entropy of the seed being reduced to 15 bits the vulnerability is in the OpenSSL libraries. Ouch! One of the things I always find interesting about security vulnerabilities is that no one ever talks about true risk. Just because there's a vulnerability doesn't mean someone is going to come knocking on your door to exploit it unless you have something of very high interest or value to a potential cracker. If I understand this correctly the "possible attempted break-in" messages are mass script attacks attempting to exploit common usernames and keys whereas with the RNG bug someone would have to intentionally and specifically run an attack against the RNG to generate the correct key. That is, I'm thinking this level of attack is not from a botnet script that just throwing common usernames and passwords at every SSH open port on the internet it can find. You can also use a passphrase when generating your SHH pub/priv key pairs. An SSH key passphrase is a secondary form of security that gives you a little time when your keys are stolen. _______________________________________________ PLUG mailing list PLUG@lists.pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
