Re: HEADS UP: blacklisting of weak ssh keys

[Matthew Dillon <dillon@xxxxxxxxxxxxxxxxxxxx>]

:
:By now every administrator and/or ssh user should have heard about the
:bug in debian's ssl library. If you've been offline for the past few days,
:start here:
:
:http://lists.debian.org/debian-security-announce/2008/msg00152.html
:http://metasploit.com/users/hdm/tools/debian-openssl
:
:While our OpenSSL library does not suffer from this bug, it possible that
:some of your users have generated their keys on a buggy debian or 
:debian-derivative (e.g. Ubuntu) system. This would mean their account can be 
:easily compromised by a brute-force attack because of the relatively small 
:number of keys that need to be tried.
:
:Today Simon updated our openssh to have the server reject any of the 
:blacklisted keys by default. This may mean that some users will no longer be 
:able to log in remotely, but the alternative is to leave the machine 
:vulnerable to any of the key scanners circulating on the internet. If for 
:some reason you need to allow the compromised keys you can set 
:PermitBlacklistedKeys to Yes in your sshd_config.
:
:Also included in the update is the ssh-vulnkey program which you can use to 
:compare the keys in your user accounts to the blacklist. Please note that the 
:blacklist is not yet exhaustive; at the moment it covers only the keys 
:created with the most common key generation parameters.
:
:It is strongly recommended that you upgrade your server (by rebuilding world) 
:as soon as possible and remove any weak keys from the ~/.ssh/authorized_keys 
:file. After this, you will have to arrange for any affected users to install 
:new, properly generated, ssh keys.
:
:Any SSL certificates generated in the vulnerability window (2006-09-17 to now) 
:on a debian system will have to be replaced as well.
:
:Aggelos

    I am downloading the key fingerprings debian published and will run it
    against all the accounts on leaf, pkgbox, and other machines.

					-Matt
					Matthew Dillon 
					<dillon@backplane.com>