LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Sponsored link

Vyatta – Linux & Open Source Alternative to Cisco – Advanced Routing, Firewall, VPN, QoS..
Free Download ->

Recent Features

LWN.net Weekly Edition for September 4, 2008

The Kernel Hacker's Bookshelf: UNIX Internals

DRI, BSD, and Linux

SCHED_FIFO and realtime throttling

LWN.net Weekly Edition for August 28, 2008

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Debian ssh bug means lots of work.

Debian ssh bug means lots of work.

Posted May 13, 2008 19:27 UTC (Tue) by endecotp (guest, #36428)
Parent article: Security advisories for Tuesday 

So all Debian and Ubuntu users have to regenerate all personal ssh keys and re-propagate them
to all authorized-keys files, regenerate all host keys (how?) and clear all known-host files,
regenerate any ssl key signing certificates and regenerate any self-signed certificates that
were generated using them, revoke all of the old ssl certificates (can anyone tell me how to
do that?), and tell users to expect ssl warnings.

I think that's quite a lot of work.  Does anyone know what Debian-specific feature was
responsible for introducing this bug?  When a distribution makes a change to the upstream
version of a package, a balance has to be struck between the usefulness of the change and the
potential for breakage.  In the case of a package like OpenSSH where the consequences of
breakage are quite serious, I would suggest that distributions should be making few if any
changes to the upstream source.

(Log in to post comments)

Debian ssh bug means lots of work.

Posted May 13, 2008 19:31 UTC (Tue) by corbet (editor, #1) [Link]

Lots of discussion on this problem, including how it came to be, ----> over here.

regenerating host keys

Posted May 13, 2008 21:53 UTC (Tue) by pjdc (guest, #6906) [Link]

Something like rm /etc/ssh/ssh_host_{,rsa_,dsa_}key{,.pub} && dpkg-reconfigure openssh-server

regenerating host keys

Posted May 13, 2008 22:33 UTC (Tue) by joey (subscriber, #328) [Link] 

Just upgrading openssh-server to version 4.7p1-9 (available in unstable soon) will take care
of fixing any  weak host keys; the whole process is automated starting in that version. That
version also refuses to accept logins using weak keys.

Debian has posted a wiki page HOW-TO for Key regeneration.

Posted May 14, 2008 13:12 UTC (Wed) by farslayer (guest, #30300) [Link] 

Regenerate and distribute any potentially vulnerable keys. Instructions for how to regenerate
the keys for these applications are below. You can also test to see if keys are vulnerable
using the dowkd.pl utility as described below.

http://wiki.debian.org/SSLkeys

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds