FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 05-13-2008, 06:20 PM
Rody
 
Default where did www.debian.org/security/key-rollover/ go?

In response to the latest security issue with ssl / ssh, i updated my packages
with the new fixed versions of ssl. However the steps to regenerate the keys
are not available on:
www.debian.org/security/key-rollover/
as the security advisory tells us.
According to google, the page did exist 4 hours ago, but right now it's a dead
link.
I could do one of two things without the rollover text:

1) remove all packages with ssl and ssh in the name, and reinstall them after
that. The nessesary keys should be created that way.
2) figure out for myself what combination of dpkg --configure commands i
should use to recreate all the keys on my systems.

Any better suggestions?

Rody


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 05-13-2008, 07:27 PM
Ross Boylan
 
Default where did www.debian.org/security/key-rollover/ go?

On Tue, 2008-05-13 at 20:20 +0200, Rody wrote:
> In response to the latest security issue with ssl / ssh, i updated my packages
> with the new fixed versions of ssl. However the steps to regenerate the keys
> are not available on:
> www.debian.org/security/key-rollover/
> as the security advisory tells us.
> According to google, the page did exist 4 hours ago, but right now it's a dead
> link.
> I could do one of two things without the rollover text:
>
> 1) remove all packages with ssl and ssh in the name, and reinstall them after
> that. The nessesary keys should be created that way.
This is probably neither necessary nor sufficient. It's not sufficient
because other programs (e.g., mail servers, database servers) may use
certificates generated with ssl. Also, unless you purge the package it
may leave some old keys.
> 2) figure out for myself what combination of dpkg --configure commands i
> should use to recreate all the keys on my systems.
>
So far I have
1) regenerated keys in ~/.ssh, including tossing my old authorized keys
from other systems. I put the new key on a diskette to take to my other
systems, since I assume transmitting via scp is not a good idea til they
are updated.

2) cd /etc/ssh; invoke-rc.d ssh stop; rm *host*;
dpkg-reconfigure --default-priority openssh-server
I believe that if dpkg-reconfigure finds existing files it will leave
them alone, so you need to delete or move them. I actually moved rather
than rm'd the old files.

I can't see a I really understand the role of the keys in /etc/ssh vs
those in ~/.ssh, beyond the fact that the former establish host
identity.

As my previous message indicated, I'm not sure if such extreme measures
are necessary for rsa keys. And I have several other server
applications that probably need new certificates.

With luck others who know more will comment, and the page of
instructions will reappear and grow.

Ross


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 

Thread Tools




All times are GMT. The time now is 07:38 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org