Slashdot is discussing a bug in SSH key generation which was introduced into the Debian source tree in late 2006 that has just been uncovered. Essentially someone removed the random seeding from key generation making keys guessable. See:

http://it.slashdot.org/it/08/05/13/1533212.shtml

Now, what do we need to do with our linodes to correct for this?

Switch to Gentoo

Upgrade OpenSSL and re-generate all your SSH and SSL keys.

_________________
/ Peter

or slackware, or centos, or arch, or fedora, or suse, or mandrake...

It may be worth noting that the error was introduced in September 2006, and keys older than that should be fine.

_________________
The irony is that Bill Gates claims to be making a stable operating system and Linus Torvalds claims to be trying to take over the world.
-- seen on the net

Does this apply to gnupg keys as well?

No, in the Debian announcement:

http://lists.debian.org/debian-security ... 00152.html

they said:

"Keys generated with GnuPG or GNUTLS are not affected"

---


Stephen

Heh. Reminds me of a comment I enjoyed at the top of efudd's script from this thread:

# Installation Tips:
# gentoo: emerge XML-LibXML ....
# debian: install gentoo OR apt-get install libxml-libxml-perl
# redhat: install windows
# slackware: rock on! 

apt-get update
apt-get upgrade

http://www.us.debian.org/security/2008/dsa-1571

That gives you the fixed software. That doesn't fix the existing weak keys (including host keys) or certificates that may have been generated. What fun!

_________________
The irony is that Bill Gates claims to be making a stable operating system and Linus Torvalds claims to be trying to take over the world.

-- seen on the net

Updating SSH host keys:

rm /etc/ssh/ssh_host_*
dpkg-reconfigure openssh-server
/etc/init.d/ssh restart # might not be necessary

Obviously you will receive host key mismatch warnings after this. Replace the relevant key(s) in ~/.ssh/known_hosts with the key in /etc/ssh/ssh_host_rsa_key.pub on the server (copy down the value using your existing session).

Don't forget to update lish keys as well, if you're using debian/ubuntu locally![/code]

Don't forget that if you generated a certificate request with a compromised Debian-based distro, you'll need to replace your certificate. Hopefully that won't mean having to pay again...

This will fix the keys on Ubuntu. They added on an "openssh-blacklist" package that comes with the upgrade. It will check and offer to regenerate keys during the upgrade action. It also provides a "ssh-vulnkey" utility to allow users to check their individual keys. Not sure if Debian has the same thing, but I wouldn't be surprised if that's where it came from.

http://wiki.debian.org/SSLkeys

This is the best page I've seen on the matter. It describes how this issue affects different packages you might be running, the use of ssh-vulnkey and dowkd.pl for testing keys, how to test SSL certificates, etc etc.

And you don't have to be running Debian at all to be affected. Basically if you've used a good key to talk to a machine with a bad key, your key may have been compromised.

I had to do 'sudo apt-get update && sudo apt-get dist-upgrade' to get the full set of updated openssh packages since a few were held back otherwise.