May 15 2008

Time to get a new set of keys

Published by at 7:25 am under Encryption,Security Advisories

If you’re using Debian or Ubuntu, it looks like you need to generate a new set of keys immediately, if not sooner! The SSH keys on those systems used the PID of the process as a seed for generating the old keys, which severely limits the randomness of the keys and has made it possible for a rainbow table of all possible keys to be generated.

There’s some debate about whether this vulnerability is related to an increase in SSH scanning on the Internet, but that’s really immaterial; it will cause a rise in SSH scans soon. Better to secure your system now and stay ahead of the curve than be one of the people unlucky enough to get compromised. As always, the real danger is not what’s happening today, but what happens in a few months when the awareness dies down and people who didn’t get the alerts leave their vulnerable machines on the Internet.

The Internet Storm Center thinks this is really important, so you probably should too.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

3 responses so far

3 Responses to “Time to get a new set of keys”

  1. Ericon 15 May 2008 at 11:04 am

    Was this addressed with the OpenSSH update that came out over the past 2 days?

  2. Martinon 15 May 2008 at 11:29 am

    I’m not certain, but I suspect they are. I don’t have any linux servers at home anymore and I’m not responsible for any professionally, so I haven’t looked into the issue other than the basics.


  3. Ericon 15 May 2008 at 12:40 pm

    As Martin said, I’d recommend updating your system and regenerating your keys either way. It’s probably good practice to regenerate them pretty frequently. I did a brief audit of my /var/log/auth and noticed an increased number of ssh-scans. From a simple regional ISP, 4 a day seems pretty excessive. Of course I’ve got my honeypot set to give them 4 shots to log in before rejecting them for good, so I’d love to know how much they’d be hitting it if they were trying to brute force it.

%d bloggers like this: