evilghost
Premium
join:2003-11-22
Springville, AL | reply to BeesTea
Re: Heads Up: Debian OpenSSL RNG Vuln CVE-2008-0166
I walked in this morning and had this printout on my cube wall. Awesome. |
|
No_Strings
Premium,Mod
join:2001-11-22
The OC | reply to visitor_
"Ubuntu - Turns out distro is actually just Windows Vista wth a few custom themes."
Something some of us have suspected for a long time. |
|
visitor_
@proxad.net | reply to BeesTea
I hope the following doesn't lower the otherwise highly admirable tone of this thread too excessively:
»xkcd.com/424/
 |
|
evilghost
Premium
join:2003-11-22
Springville, AL
 ·Windstream
| reply to BeesTea
said by BeesTea  :SSH scanning is increased considerably across the Internet. http://www.securityfocus.com/news/11518?ref=rssIt's important to consider that simply having ssh-key auth enabled is not enough to be compromised. A user would still need to be using a vulnerable key for authentication. In practical experience, public-key is way less common than simple password auth with ssh. This means the more likely attack vector will be session keys. Considering that password auth for ssh is plain taxt pushed through the session tunnel, I'd be more worried about that. Someone sniffing TCP/22 and cracking it at their leisure would result in essentially plain text logins and passwords. EDIT: Typo One thing to consider would be password-less keypairs, for example, I use these at home on my trusted computers for sshfs to avoid password prompts. It's my understanding that if someone knew the compromised keypair and username they could successfully authenticate without password. |
|
BeesTea
Network Janitor
Premium,VIP
join:2003-03-08
00000
1 edit | reply to deblin
SSH scanning is increased considerably across the Internet.
http://www.securityfocus.com/news/11518?ref=rss
It's important to consider that simply having ssh-key auth enabled is not enough to be compromised. A user would still need to be using a vulnerable key for authentication. In practical experience, public-key is way less common than simple password auth with ssh. This means the more likely attack vector will be session keys. Considering that password auth for ssh is plain taxt pushed through the session tunnel, I'd be more worried about that. Someone sniffing TCP/22 and cracking it at their leisure would result in essentially plain text logins and passwords.
EDIT: Typo |
|
deblin
Dark Side of the Moon
Premium,MVM
join:2001-09-01
Middletown, DE
1 edit | reply to BeesTea
Nevermind, standard log messages from the brute force attackers, not necessarily anything significant to this. |
|
BeesTea
Network Janitor
Premium,VIP
join:2003-03-08
00000
| reply to BeesTea
H D Moore, of the Metasploit project etc, has made the following write up.
http://metasploit.com/users/hdm/tools/debian-openssl/
Of note is the FAQ
quote:
Frequently Asked Questions
Q: How long did it take to generate these keys?
A: About two hours for the 1024-bit DSA and 2048-bit RSA keys for x86. I used 31 Xeon cores clocked at 2.33Ghz. I am generating the RSA 4096-bit keys now and the total time should be about 18 hours.
Q: Will you share your code for distributing the key-generation across mulitple processors?
A: Nope. The code is hardcoded for this specific cluster and is too poorly-written to be worth cleaning up.
Q: How long does it take a crack a SSH user account using these keys?
A: This depends on the speed of the network and the configuration of the SSH server. It should be possible to try all 32,767 keys of both DSA-1024 and RSA-2048 within a couple hours, but be careful of anti-brute-force scripts on the target server.
Q: I use 16384-bit RSA keys, can these be broken?
A: Yes, its just a matter of time and processing power. For mere mortals, 4096-bit keys are already a little on the paranoid side. All possible 4096-bit keys should be available within the next day or so. It is possible to generate all combinations of 8192-bit and 16384-bit keys, but I probably have better uses for my processors
Scary.
Folks, if you're not already, pay close attention to excessive connections to your crypto services like ssh, vpn, etc. ~32,000 attempts can go by fast.
--
Overpower, overcome. |
|
BeesTea
Network Janitor
Premium,VIP
join:2003-03-08
00000 | reply to evilghost
That wiki entry is excellent. I'd recommend everyone read it, specifically the list of likely affected software.
Thanks for sharing! |
|
evilghost
Premium
join:2003-11-22
Springville, AL | reply to BeesTea
Good info here:
»wiki.debian.org/SSLkeys |
|
evilghost
Premium
join:2003-11-22
Springville, AL
·Windstream
3 edits | reply to BeesTea
I'm reminded why I don't like Ubuntu when the openssh-server and openssh-client packages are held back requiring the installation of openssh-blacklist as a requirement.
Dear Ubuntu Team, I'm not going to use ssh-vulnkey to see if my system is vulnerable, I'm reissuing keys. Why is this package a requirement for the openssh-server package? Cut me a freaking break. |
|
evilghost
Premium
join:2003-11-22
Springville, AL
·Windstream
| reply to Eatmeingreek
said by Eatmeingreek :Script seems to work. At least it identifies weak keys and they go away when you run evilghost 's commands. Speaking of evilghost , the first line, "ssh-keygen -q -f /etc/ssh/ssh_host_key -N '' -t rsa1" creates files called "ssh_host_key" and "ssh_host_key.pub" that didn't already exist on all the Debian boxes I've tried so far. Don't think they're really needed. Fortunately a lot of my Debian hosts started life as Sarge boxes so a lot have been unaffected so far. Agree, rsa1 not needed, at least on this end. Edited my post, thanks for pointing this out. |
|
BeesTea
Network Janitor
Premium,VIP
join:2003-03-08
00000 | reply to djrobx
Excellent feedback. Thanks!
--
Overpower, overcome. |
|
djrobx
join:2000-05-31
Valencia, CA | reply to deblin
Script appears to work. Tried it against a Sarge-generated host keys and it was quiet. Tried it against a recently installed Etch server and it reported the weak keys. After upgrading and regenerating the host keys, it was quiet. |
|
deblin
Dark Side of the Moon
Premium,MVM
join:2001-09-01
Middletown, DE | reply to Eatmeingreek
I don't think it (by default) supports RSA1 keys, and rightly so. They're quite insecure, relative to DSA and RSA2.
--
»hillaryis404.org/ |
|
Eatmeingreek
Gentard
join:2001-06-29
San Francisco, CA
| reply to BeesTea
Script seems to work. At least it identifies weak keys and they go away when you run evilghost 's commands.
Speaking of evilghost , the first line, "ssh-keygen -q -f /etc/ssh/ssh_host_key -N '' -t rsa1" creates files called "ssh_host_key" and "ssh_host_key.pub" that didn't already exist on all the Debian boxes I've tried so far. Don't think they're really needed.
Fortunately a lot of my Debian hosts started life as Sarge boxes so a lot have been unaffected so far.
--
"Be safe be suspicious" |
|
deblin
Dark Side of the Moon
Premium,MVM
join:2001-09-01
Middletown, DE
| reply to BeesTea
I haven't tested it myself, but apparently this script can find affected keys:
»security.debian.org/project/extr···kd.pl.gz
It's a huge perl script, namely because it has the key data in the perl script itself.
Hope it's useful for some folks.
--
»hillaryis404.org/ |
|
EUS
Kill cancer
Premium
join:2002-09-10
Montreal, QC
clubs:  | reply to BeesTea
Ugh, ssh, apache2, postfix, vsftp, I have some cleaning up to do. |
|
evilghost
Premium
join:2003-11-22
Springville, AL | reply to BeesTea
Glad I'm running 6.06 LTS so I don't have to deal with re-creating my Apache SSL cert, my Dovecot/Postfix .pem, and my SSH keys... |
|
srgyhryt89yfn
@gov.br | reply to evilghost
Yes. You need to regenerate them, they're required for the security of the session setup. |
|
deblin
Dark Side of the Moon
Premium,MVM
join:2001-09-01
Middletown, DE
| reply to evilghost
That's going to make SO many ssh clients really, really unhappy
Necessary, obviously, but people are going to be seeing a lot of "man in the middle" type errors from ssh in the coming weeks. 
--
»hillaryis404.org/ |
|
