[ubuntu-florida] OpenSSH Vulnerability test and fix
Dan Trevino
dantrevino at gmail.com
Fri May 16 03:22:56 BST 2008
When you create an ssh session, you're using public keys on both sides and
you're still using the bad P-RNG in libssl to create a new encrypted
session. Take a look in your ~/.ssh/known_hosts. All of those that were
generated on Debian/Ubuntu systems are 'weak'. See this part of the
advisory:
" This includes the automatically generated host keys used by OpenSSH, which
are the basis for its server spoofing and man-in-the-middle protection. "
So yes, even if you're using passwords, you need to update all your debian
and ubuntu systems.
dan
On Thu, May 15, 2008 at 8:36 PM, Brett Schubert <catsceo at gmail.com> wrote:
> Even if I don't use the keys?
>
> On Thu, May 15, 2008 at 2:38 PM, Dan Trevino <dantrevino at gmail.com> wrote:
>
>> No. You need to update your systems.
>>
>>
>> On Thu, May 15, 2008 at 1:01 PM, Brett Schubert <catsceo at gmail.com>
>> wrote:
>>
>>> So I should be safe if I use a password login?
>>>
>>>
>>> On Thu, May 15, 2008 at 10:04 AM, Neo Taoist Techno Pagan <
>>> neotaoisttechnopagan at gmail.com> wrote:
>>>
>>>> I haven't heard of any specific situations in which it would be used -
>>>> yet. But yes, I do use passwordless logins on a few systems - only those
>>>> here behind my firewall that I have physical access to.
>>>>
>>>> Brett Schubert wrote:
>>>> > This sounds like it only affects people who use a passwordless log-in,
>>>> > right?
>>>> >
>>>> > On Thu, May 15, 2008 at 7:27 AM, Neo Taoist Techno Pagan
>>>> > <neotaoisttechnopagan at gmail.com
>>>> > <mailto:neotaoisttechnopagan at gmail.com>> wrote:
>>>> >
>>>> > Yay - I get to admin all my remote servers today... :-(
>>>> >
>>>> >
>>>> http://ubuntu-tutorials.com/2008/05/13/openssh-openssh-vulnerabilities-confirm-fix-instructions/
>>>> >
>>>> >
>>>> > --
>>>> > Ubuntu-us-fl mailing list
>>>> > Ubuntu-us-fl at lists.ubuntu.com <mailto:
>>>> Ubuntu-us-fl at lists.ubuntu.com>
>>>> > Modify settings or unsubscribe at:
>>>> > https://lists.ubuntu.com/mailman/listinfo/ubuntu-us-fl
>>>> >
>>>> >
>>>>
>>>>
>>>> --
>>>> Ubuntu-us-fl mailing list
>>>> Ubuntu-us-fl at lists.ubuntu.com
>>>> Modify settings or unsubscribe at:
>>>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-us-fl
>>>>
>>>
>>>
>>> --
>>> Ubuntu-us-fl mailing list
>>> Ubuntu-us-fl at lists.ubuntu.com
>>> Modify settings or unsubscribe at:
>>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-us-fl
>>>
>>>
>>
>> --
>> Ubuntu-us-fl mailing list
>> Ubuntu-us-fl at lists.ubuntu.com
>> Modify settings or unsubscribe at:
>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-us-fl
>>
>>
>
> --
> Ubuntu-us-fl mailing list
> Ubuntu-us-fl at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-us-fl
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.ubuntu.com/archives/ubuntu-us-fl/attachments/20080515/273d53e5/attachment.htm
More information about the Ubuntu-us-fl
mailing list