[Tfug] Debian SSH vulnerability

John Gruenenfelder johng at as.arizona.edu
Tue May 13 19:21:53 MST 2008


On Tue, May 13, 2008 at 06:47:08PM -0700, Jude Nelson wrote:
>I think the vulnerability only applies to servers, not clients.  At
>least, that's what the article looked like.

It also applies to any users using key-based authentication.  The key files in
your ~/.ssh directory are created in the same manner that the server keys
are.  If I understand it correctly, if your personal key is one of the broken
ones, an attacker could potentially log into a remote system as you.

However, my understanding is also that you (and your systems) are only
affected by this vulnerabilty is your keys were created *after* the package
maintainer broke the random number generation and, obviously, before the
bugfix was released.

My own personal keys were generated in 2000, so I'm pretty sure they're fine.
My home fileserver has keys from 2003 and my main work machine has keys from
2000 and 2001, so they're fine too.  But, the other work server I set up in
January had to get new keys.

Not having to update these really old keys means less of a headache because it
also means not having to fix all the known_hosts and authorized_keys files
that use them.


-- 
--John Gruenenfelder    Research Assistant, UMass Amherst student
                        Systems Manager, MKS Imaging Technology, LLC.
Try Weasel Reader for PalmOS  --  http://weaselreader.org
"This is the most fun I've had without being drenched in the blood
of my enemies!"
        --Sam of Sam & Max




More information about the tfug mailing list