FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 05-13-2008, 07:44 PM
Kevin Mark
 
Default where did www.debian.org/security/key-rollover/ go?

On Tue, May 13, 2008 at 08:20:55PM +0200, Rody wrote:
>
> In response to the latest security issue with ssl / ssh, i updated my packages
> with the new fixed versions of ssl. However the steps to regenerate the keys
> are not available on:
> www.debian.org/security/key-rollover/
> as the security advisory tells us.
> According to google, the page did exist 4 hours ago, but right now it's a dead
> link.

It could be because of the actions of the DSA, security folks, who are
scrambling to address the need to make new keys for all Debian servers
after a issue was found with random-number generation.
I read about it on debian-infrastructure-announce and debian-devel.
-K
--
| .'`. == Debian GNU/Linux == | my web site: |
| : :' : The Universal |mysite.verizon.net/kevin.mark/|
| `. `' Operating System | go to counter.li.org and |
| `- http://www.debian.org/ | be counted! #238656 |
| my keyserver: subkeys.pgp.net | my NPO: cfsg.org |
|join the new debian-community.org to help Debian! |
|_______ Unless I ask to be CCd, assume I am subscribed _______|


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 05-13-2008, 08:18 PM
"Adrian Levi"
 
Default where did www.debian.org/security/key-rollover/ go?

2008/5/14 Rody <rody@xs4all.nl>:
>
> In response to the latest security issue with ssl / ssh, i updated my packages
> with the new fixed versions of ssl. However the steps to regenerate the keys
> are not available on:
> www.debian.org/security/key-rollover/
> as the security advisory tells us.
> According to google, the page did exist 4 hours ago, but right now it's a dead
> link.

At the moment it's just a page saying there is more to come. Have
patience, it will come.

Adrian

--
24x7x365 != 24x7x52 Stupid or bad maths?
<erno> hm. I've lost a machine.. literally _lost_. it responds to
ping, it works completely, I just can't figure out where in my
apartment it is.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 05-13-2008, 10:49 PM
Joey Hess
 
Default where did www.debian.org/security/key-rollover/ go?

Rody wrote:
> In response to the latest security issue with ssl / ssh, i updated my packages
> with the new fixed versions of ssl. However the steps to regenerate the keys
> are not available on:
> www.debian.org/security/key-rollover/
> as the security advisory tells us.
> According to google, the page did exist 4 hours ago, but right now it's a dead
> link.

AFAICS, the page is not ready yet. "More to follow soon"

This page on the wiki has fairly complete instructions in the meantime:

http://wiki.debian.org/SSLkeys

> 1) remove all packages with ssl and ssh in the name, and reinstall them after
> that. The nessesary keys should be created that way.

No, that will not work.

--
see shy jo
 
Old 05-13-2008, 10:53 PM
Joey Hess
 
Default where did www.debian.org/security/key-rollover/ go?

Ross Boylan wrote:
> 2) cd /etc/ssh; invoke-rc.d ssh stop; rm *host*;
> dpkg-reconfigure --default-priority openssh-server

There's no need to stop ssh. Just
rm /etc/ssh/*host*; dpkg-reconfigure openssh-server

And then go fix all your ~/.authorized_keys files. And also openvpn and
SSL certificates.

BTW, if you're running unstable, a new openssh-sever package will be
available in the next update (in about 8 hours) that automates replacing
weak ssh host keys, and also blocks login attempts using weak keys.

--
see shy jo
 
Old 05-13-2008, 10:58 PM
Eduardo M KALINOWSKI
 
Default where did www.debian.org/security/key-rollover/ go?

Joey Hess wrote:
> Ross Boylan wrote:
>
>> 2) cd /etc/ssh; invoke-rc.d ssh stop; rm *host*;
>> dpkg-reconfigure --default-priority openssh-server
>>
>
> There's no need to stop ssh. Just
> rm /etc/ssh/*host*; dpkg-reconfigure openssh-server
>

Here I ran /etc/init.d/ssh restart after purging the host keys, is that
enough or does dpkg-reconfigure do something extra that is necessary?

--
A base do teto desaba.
-- palíndromo

Eduardo M KALINOWSKI
eduardo@kalinowski.com.br
http://move.to/hpkb


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 05-13-2008, 11:01 PM
Joey Hess
 
Default where did www.debian.org/security/key-rollover/ go?

Eduardo M KALINOWSKI wrote:
> Here I ran /etc/init.d/ssh restart after purging the host keys, is that
> enough or does dpkg-reconfigure do something extra that is necessary?

dpkg-reconfigure openssh-server generates any missing host keys, and
restarts ssh for you.

--
see shy jo
 
Old 05-13-2008, 11:37 PM
Håkon Alstadheim
 
Default where did www.debian.org/security/key-rollover/ go?

Joey Hess wrote:

Eduardo M KALINOWSKI wrote:


Here I ran /etc/init.d/ssh restart after purging the host keys, is that
enough or does dpkg-reconfigure do something extra that is necessary?



dpkg-reconfigure openssh-server generates any missing host keys, and
restarts ssh for you.



You still need to remove weak ssh keys from authorized_hosts, which
neither procedure does.


--
Håkon Alstadheim
47 35 39 38



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 05-14-2008, 02:04 AM
"Douglas A. Tutty"
 
Default where did www.debian.org/security/key-rollover/ go?

On Tue, May 13, 2008 at 08:20:55PM +0200, Rody wrote:
>
> In response to the latest security issue with ssl / ssh, i updated my packages
> with the new fixed versions of ssl. However the steps to regenerate the keys
> are not available on:
> www.debian.org/security/key-rollover/

After keys are regenerated and all old keys are removed, would a reboot
be in order to ensure that no apps are using old files that have been
unlinked but still open?

I don't suppose that new version of (was it ssh) in Sid that warns of
connections with weak keys will be backported to Etch as a security fix?

Doug.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 05-14-2008, 02:39 AM
Joey Hess
 
Default where did www.debian.org/security/key-rollover/ go?

Douglas A. Tutty wrote:
> After keys are regenerated and all old keys are removed, would a reboot
> be in order to ensure that no apps are using old files that have been
> unlinked but still open?

If replacing a key for a daemon like ssh, or apache, or postfix, restart
the daemon. Some of these daemons read the key file into memory on
startup and never re-read it.

> I don't suppose that new version of (was it ssh) in Sid that warns of
> connections with weak keys will be backported to Etch as a security fix?

Yes, ssh in etch will be updated.

--
see shy jo
 
Old 05-14-2008, 01:20 PM
Johannes Wiedersich
 
Default where did www.debian.org/security/key-rollover/ go?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2008-05-14 04:39, Joey Hess wrote:
> Douglas A. Tutty wrote:
>> I don't suppose that new version of (was it ssh) in Sid that warns of
>> connections with weak keys will be backported to Etch as a security fix?
>
> Yes, ssh in etch will be updated.
>
How about lenny/testing?

Thanks,

Johannes
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIKucBC1NzPRl9qEURAvnnAJ4h2s4t/ZNg6WZolJqC+JpgljjfVgCeJsGD
ih7jDeFX5bA512vI/AO/s3U=
=W9rN
-----END PGP SIGNATURE-----


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 

Thread Tools




All times are GMT. The time now is 09:01 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org