[nzlug] todays SSH/SSL/OpenVPN key fun

[Robert Coup]

If you're running Debian, Ubuntu, or any other Debian-derived distro,
OR if you have generated any SSH/SSL keys/certificates on a
Debian-derived machine since 2006...

> A weakness has been discovered in the random number generator used by OpenSSL on Debian and Ubuntu systems.  As a result of this weakness, certain encryption keys are much more common than they should be, such that an attacker could guess the key through a brute-force attack given minimal knowledge of the system.  This particularly affects the use of encryption keys in OpenSSH, OpenVPN and SSL certificates.

Normally I wouldn't bother posting this to NZLUG but it turns out
there are only ~262,000 keys generated, which is a very very quick
bruteforce. It only affects Debian since it was a distro-specific
patch that broke it. The first vulnerable version, openssl 0.9.8c-1,
was uploaded to the Debian unstable distribution on 2006-09-17, and
has since propagated to the testing and current stable (etch)
distributions. The old stable distribution (sarge) is not affected.
For Ubuntu, everything from Feisty onwards is affected.

Note doing an apt-get upgrade won't fix this - you need to regenerate
all your SSH keys (user & host) & SSL certificates that have been
created using this library as well. Be a little careful of just
hitting "apt-get dist-upgrade" or you may be locked out of your boxes
(openssh-blacklist gets installed and will block insecure keys).

Security Advisories:

Debian: http://lists.debian.org/debian-security-announce/2008/msg00152.html
Ubuntu: http://www.ubuntu.com/usn/usn-612-1 ,
http://www.ubuntu.com/usn/usn-612-2 ,
http://www.ubuntu.com/usn/usn-612-3

Rob :)