448191 Posted May 15, 2008 Share Posted May 15, 2008 Just thought I'd share this mail I got from my vps provider for any Debian and Ubuntu users out there. It'd be a shame if your root account got brute forced. Dear customer, This week an issue came up in the Debian community related to a communications problem between the developers of the OpenSSL security software and the maintainer of this same software within the Debian team. Due to an error, in 2006 a serious security issue has crept into the Debian (and Ubuntu) version of OpenSSL that has only now been detected. The error reduced the possible key space for SSH host keys and SSL certificates to 32,768 possibilities. This has a serious impact on their cryptographic security, opening the door to credible eavesdropping and identity theft attacks. For security purposes we will perform software updates for our Debian and Ubuntu customers in the next few days. For customers that have a root password on their VPS that is unknown to us we advise a prompt round of apt-get update / apt-get upgrade. The update may lead to programs like Putty complaining about a changed SSH host key. This is expected. It's been solved (or so the mail says - in Dutch so I wont bother you with it) though, so an update should fix it. Quote Link to comment https://forums.phpfreaks.com/topic/105767-debian-and-ubuntu-openssl-serious-security-issue/ Share on other sites More sharing options...
trq Posted May 15, 2008 Share Posted May 15, 2008 It'd be a shame if your root account got brute forced. You shouldn't be allowing root access via ssh in the first place but yeah, this is the first I have heard of this issue, and I'm subscribed to a few of the debian lists. Thanks for the heads up. Edit by Daniel: Fixed bbcodes. Quote Link to comment https://forums.phpfreaks.com/topic/105767-debian-and-ubuntu-openssl-serious-security-issue/#findComment-542000 Share on other sites More sharing options...
zq29 Posted May 15, 2008 Share Posted May 15, 2008 All of my Ubuntu machines picked this up the day before yesterday, and again today - Must have been more than one issue. Quote Link to comment https://forums.phpfreaks.com/topic/105767-debian-and-ubuntu-openssl-serious-security-issue/#findComment-542132 Share on other sites More sharing options...
steviewdr Posted May 16, 2008 Share Posted May 16, 2008 It's been solved (or so the mail says - in Dutch so I wont bother you with it) though, so an update should fix it. While openssl and sshd are fixed in recent debian and ubuntu updates (apt-get upgrade), it is *not* this simple! All ssh and ssl keys which were created on debian or ubuntu servers between September 2006 and last week, need to be recreated. If you use ssh keys on debian/ubuntu, these need to be deleted, and new ones created. After a couple of apt-get upgrades in debian etch, a new tool called "ssh-vulnkey" is installed. Simple run "ssh-vulnkey -a" as root to detect if ssh keys are at risk. Its quite a tale and there has been a lot of noise about it. See: http://wiki.debian.org/SSLkeys#head-5450db0076b3d85650f72117a9884f89d2349032 http://mail.linux.ie/pipermail/ilug/2008-May/097975.html -steve Quote Link to comment https://forums.phpfreaks.com/topic/105767-debian-and-ubuntu-openssl-serious-security-issue/#findComment-542752 Share on other sites More sharing options...
448191 Posted May 18, 2008 Author Share Posted May 18, 2008 It's been solved (or so the mail says - in Dutch so I wont bother you with it) though, so an update should fix it. While openssl and sshd are fixed in recent debian and ubuntu updates (apt-get upgrade), it is *not* this simple! All ssh and ssl keys which were created on debian or ubuntu servers between September 2006 and last week, need to be recreated. If you use ssh keys on debian/ubuntu, these need to be deleted, and new ones created. After a couple of apt-get upgrades in debian etch, a new tool called "ssh-vulnkey" is installed. Simple run "ssh-vulnkey -a" as root to detect if ssh keys are at risk. Its quite a tale and there has been a lot of noise about it. See: http://wiki.debian.org/SSLkeys#head-5450db0076b3d85650f72117a9884f89d2349032 http://mail.linux.ie/pipermail/ilug/2008-May/097975.html -steve I have run apt-get update and upgrade without any results (maybe my isp did it though I don't see how since I changed the root pswd) and ssh-vulnkey is not installed...Any pointers? Quote Link to comment https://forums.phpfreaks.com/topic/105767-debian-and-ubuntu-openssl-serious-security-issue/#findComment-544028 Share on other sites More sharing options...
trq Posted May 18, 2008 Share Posted May 18, 2008 Use aptitude, does it say it is holding any packages back? sudo aptitude update sudo aptitude safe-upgrade Quote Link to comment https://forums.phpfreaks.com/topic/105767-debian-and-ubuntu-openssl-serious-security-issue/#findComment-544043 Share on other sites More sharing options...
448191 Posted May 18, 2008 Author Share Posted May 18, 2008 448191:/etc/apache2/conf.d# aptitude update Get:1 http://ftp.nl.debian.org etch Release.gpg [378B] Hit http://ftp.nl.debian.org etch Release Ign http://ftp.nl.debian.org etch/main Packages/DiffIndex Hit http://ftp.nl.debian.org etch/main Packages Fetched 378B in 0s (2206B/s) Reading package lists... Done 448191:/etc/apache2/conf.d# 448191:/etc/apache2/conf.d# aptitude upgrade Reading package lists... Done Building dependency tree... Done Initializing package states... Done Reading task descriptions... Done Building tag database... Done No packages will be installed, upgraded, or removed. 0 packages upgraded, 0 newly installed, 0 to remove and 0 not upgraded. Need to get 0B of archives. After unpacking 0B will be used. 448191:/etc/apache2/conf.d# btw, it doesn't recognize safe-upgrade, but --help includes this line: upgrade - Perform a safe upgrade So I assume just 'upgrade' works. Just to be sure: 448191:/etc/apache2/conf.d# whereis ssh-vulnkey ssh-vulnkey: 448191:/etc/apache2/conf.d# Edit: Yes, I'm working as root, not using sudo... No lectures please Quote Link to comment https://forums.phpfreaks.com/topic/105767-debian-and-ubuntu-openssl-serious-security-issue/#findComment-544045 Share on other sites More sharing options...
trq Posted May 18, 2008 Share Posted May 18, 2008 Hmm, it should be picking it up. Oh and sorry, the safe-upgrade is only available in sid at the moment. Id try forcing a reinstall. sudo apt-get install --reinstall openssh Quote Link to comment https://forums.phpfreaks.com/topic/105767-debian-and-ubuntu-openssl-serious-security-issue/#findComment-544134 Share on other sites More sharing options...
448191 Posted May 18, 2008 Author Share Posted May 18, 2008 No dice either. I also don't quite understand why there's an ssh package when there's also a ssh-server AND ssh-client package. Anyway, none of my forced reinstalls had the desired effect. I'll contact my host. Quote Link to comment https://forums.phpfreaks.com/topic/105767-debian-and-ubuntu-openssl-serious-security-issue/#findComment-544158 Share on other sites More sharing options...
tomfmason Posted May 18, 2008 Share Posted May 18, 2008 This ended up working for me apt-get install openssh-server openssh-client Quote Link to comment https://forums.phpfreaks.com/topic/105767-debian-and-ubuntu-openssl-serious-security-issue/#findComment-544214 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.