On Tue, 2008-05-13 at 18:14 +0100, Alan Pope wrote: > I thought it wise to forward this to the group. There will likely be > further discussion about this issue as the week progresses. In a > nutshell there's a flaw in OpenSSL in Debian, which we also have in > Ubuntu. Read the attached email for more information. >
Hi Al, Thanks for forwarding this. The announcement may look a little strange as it is talking about OpenSSL, but telling you to upgrade SSH. There was a preceeding announcement for the OpenSSL part, you can see it here: http://www.ubuntu.com/usn/usn-612-1 Before I explain some of the details of what you need to do, I'm sure that there are some people seeing all the commotion, but not really sure whether it affects them. You are affected if: * You have the openssh-server package installed. This is not the default for desktop systems. Look in synaptic, or use "dpkg -l openssh-server" to find out if you have it installed. * You use ssh keys to log in to any machines. This doesn't mean ssh using passwords, and is usually something you have to explicitly set-up, so you probably know if this is you. One clue would be the presence of "*.pub" files in your "~/.ssh" directory. * You have created other secrets using OpenSSL, e.g. SSL keys. If you have any questions, please feel free to ask them. It's absolutely better to be safe than sorry, and this is a serious vulnerability. It doesn't affect many desktop users that don't use remote CLI sessions over SSH though, so if the above conditions don't apply to you you should be fine. If you are not sure, please don't hesitate to ask. One reason this is getting so much attention is that it is extremely common for more advanced users, especially developers. I've just gone through the upgrade process myself, and yes, it's pretty annoying. However the maintainers have worked hard to make it as clear as possible what you have to do. When you upgrade openssh-server you will be prompted if you have a compromised server key. It will then be regenerated for you, but you will have to co-ordinate the associated fingerprint updates with any users that log in to the system. When you upgrade the client you will have a new command on your computer, ssh-vulnkey. If you run this in a terminal it will check common locations for ssh keys and try to tell you of any keys that are vulnerable, or any entries in ~/.authorized_keys that are vulnerable. You should delete the latter as soon as possible, but please make sure you have another way to access the machine first, for instance password logins enabled, an existing ssh connection, or just a keyboard plugged in to the back. You can then update it as you generate new keys. For the client ssh keys you should be sure that all keys are checked, you can pass filenames on the command line for any keys in non-standard locations. This includes ~/.ssh/id_rsa.1.pub and the like that are created by seahorse. To be sure here just pass the names of every key. If it says "COMPROMISED:" you should recreate the key immediately. If it says anything else you are at a lower risk, but should still consider regenerating the keys. Note that the problem is with RSA keys (the default), but there is some discussion over whether the security of DSA keys is reduced by the issue, and so you should consider recreating them again anyway. Also affected are SSL keys, so if you have those you should recreate them. Unfortunately I can't put much more detail in to that statement at the moment, but if you have questions I can try to answer them. Again, I will repeat the suggestion that if you are unsure about something to ask. I will try my best to help you, as I'm sure many others in the group will as well. Thanks, James -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.ubuntu.org/UKTeam/
