evilghost
Premium
join:2003-11-22
Springville, AL
 ·Windstream
| reply to BeesTea
Re: Heads Up: Debian OpenSSL RNG Vuln CVE-2008-0166
Is there any reason to regenerate the host-wide keys in /etc/ssh or just those created with ssh-keygen for use in authorized_keys?
|
|
BeesTea
Network Janitor
Premium,VIP
join:2003-03-08
00000
| For sure host keys would be vulnerable too. The public/private key exchange to build an ssh session pre-auth is almost identical to the one used for auth.
It's going to be a while before all the impact of this is fully understood I think. Thanks for pointing that out. It might be worth brain dumping all the places where SSL might get used like that.
--
Overpower, overcome. |
|
refused
keeping IT real
join:2005-10-10
Redding, CA
| reply to evilghost
quote:
Affected keys include SSH keys, OpenVPN keys, DNSSEC keys, and key
material for use in X.509 certificates and session keys used in SSL/TLS
connections. Keys generated with GnuPG or GNUTLS are not affected,
though.
if generated with 0.9.8c-1 or after, yah they should probably be regenerated with a fixed version. the security bulletin says the old stable version Sarge wasn't affected, so depends where your ssh keys came from and what version they came from. better safe than sorry though.
--
"Ubuntu" - an African word, meaning "Slackware is too hard for me". |
|
srgyhryt89yfn
@gov.br | reply to evilghost
Yes. You need to regenerate them, they're required for the security of the session setup. |
|
