[nzlug] todays SSH/SSL/OpenVPN key fun
Robert Coup
robert.coup at onetrackmind.co.nz
Wed May 14 15:11:59 NZST 2008
On Wed, May 14, 2008 at 3:02 PM, Robin Sheat <robin at kallisti.net.nz> wrote:
> On Wednesday 14 May 2008 14:35:10 Robert Coup wrote:
> > Note doing an apt-get upgrade won't fix this
>
> In Ubuntu, it will. Any weak keys are updated, and you can run ssh-vulnkey -a
> to check the rest of the system. Also, don't forget to check openvpn (with
> openvpn-vulnkey) while you're at it.
umm. not quite.
Updated means regenerated, and presumably the keys are used for
something useful (logging in to/from other systems in the case of
SSH).
if your SSH host keys change every client will get major @@EVIL@@
warnings. Not much you can do about that now.
if your SSH user keys change then you won't be able to log in anywhere
you've put your public key, which is a bad thing.
if you've generated a key on an affected system and exported/moved it
elsewhere it is still vulnerable.
if you've generated an SSL certificate request on an affected system
then the cert is vulnerable.
so if you don't use SSH keys (only passwords), then you get @@EVIL@@
warnings, follow the instructions, and they go away. Assuming you're
not paranoid, since your passwords may have been sniffed over your
[un]encrypted ssh session since the host's keys may not have been
secure.
if you use SSH keys for logging in, subversion, or use client or
server SSL certificates (like OpenVPN) does then you need to
regenerate all your keys/certificates.
Rob :)
More information about the NZLUG
mailing list