Advertisement
Advanced thin client solution for Linux, based on Open Source. Mix Windows and Linux, with hardware accelerated OpenGL!
| |||||||||||
One of these days?One of these days?Posted May 15, 2008 7:14 UTC (Thu) by dion (subscriber, #2764)Parent article: Debian, OpenSSL, and a lack of cooperation
As far as I can tell that "day" has already started, the only question is whether it started back in 2006 or on may 13, but this is unbelievably bad. Given that the compromised keys are known the ssh client should be updated with the blacklist as well, so it can: 1) Change its own key and use the old key as a fallback. 2) Remove the compromised keys from the authorized_keys file on the remote systems as soon as a user logs in. With the compromised keys in use in tons of authorized_keys files, many of them on systems that might not get much attention because they weren't subject to the initial problem, it's only a matter of time before someone generates the keys needed and owns a substantial part of the machines running ssh in the world. I've been a great fan of Ubuntu lately, but I'm going to start looking into a more security conscious distribution (read: something not based on Debian), maybe even FreeBSD which I hear is getting to be quite acceptable.
(Log in to post comments)
One of these days? Posted May 15, 2008 10:41 UTC (Thu) by nix (subscriber, #2304) [Link] New SSH packages that include such a blacklist have hit both ubuntu and debian repos now. (Personally I'm not going to use those patches on my non-Debian systems: they slow down connection with a binary search across a multimegabyte file on every connection attempt, they eat 4Mb of disk space on / and I know none of my keys are vulnerable. But still, it's probably good if you don't know that. I just hope that someday we can remove those patches again...)
|
|||||||||||