FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu User

 
 
LinkBack Thread Tools
 
Old 05-13-2008, 06:35 PM
Markus Sch÷nhaber
 
Default Weak host-keys are not replaced during openssh update

Hi,

http://www.ubuntu.com/usn/usn-612-2
says:
| OpenSSH host keys can be automatically regenerated when the OpenSSH
| security update is applied. The update will prompt for confirmation
| before taking this step.

On two of the Gutsy servers I administer the weak host keys remain in
place after
aptitude update
aptitude safe-upgrade
and I am not prompted anything during the upgrade either.

Anyone else seeing this?

Regards
mks

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 05-13-2008, 06:49 PM
Mario Vukelic
 
Default Weak host-keys are not replaced during openssh update

On Tue, 2008-05-13 at 20:35 +0200, Markus Sch├Ânhaber wrote:
> On two of the Gutsy servers I administer the weak host keys remain in
> place after
> aptitude update
> aptitude safe-upgrade
> and I am not prompted anything during the upgrade either.
>
> Anyone else seeing this?

Maybe this:

´╗┐=============================================== ============
Ubuntu Security Notice USN-612-2 May 13, 2008
openssh vulnerability
CVE-2008-0166, http://www.ubuntu.com/usn/usn-612-1
================================================== =========

<snip>

"Once the update is applied, weak user keys will be automatically
rejected where possible (though they cannot be detected in all
cases). If you are using such keys for user authentication,
they will immediately stop working and will need to be replaced
(see step 3)."




--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 05-13-2008, 07:08 PM
Mario Vukelic
 
Default Weak host-keys are not replaced during openssh update

On Tue, 2008-05-13 at 20:49 +0200, Mario Vukelic wrote:
> Maybe this: <snip>

Um, probably not.

Upon reflection I think that the upgrade does not replace any keys at
all. You need to do that yourself. At least that#s what the Debian
announcement says:

"It is strongly recommended that all cryptographic key material which
has been generated by OpenSSL versions starting with 0.9.8c-1 on Debian
systems is recreated from scratch."

http://article.gmane.org/gmane.linux.debian.security.announce/1614


--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 05-13-2008, 07:40 PM
Markus Sch÷nhaber
 
Default Weak host-keys are not replaced during openssh update

Mario Vukelic wrote:

> On Tue, 2008-05-13 at 20:49 +0200, Mario Vukelic wrote:
>> Maybe this: <snip>
>
> Um, probably not.
>
> Upon reflection I think that the upgrade does not replace any keys at
> all. You need to do that yourself. At least that#s what the Debian
> announcement says:
>
> "It is strongly recommended that all cryptographic key material which
> has been generated by OpenSSL versions starting with 0.9.8c-1 on Debian
> systems is recreated from scratch."
>
> http://article.gmane.org/gmane.linux.debian.security.announce/1614

Which would contradict the section of the USN I cited.

Anyway, the culprit is a temporary blindness on my part which prevented
me from seeing that aptitude safe-upgrade did keep the update of
openssh-server back. What makes this even harder to bear for me is the
fact that I *did* read Karl Auer's post about "can't seem to get
openssh-*" before I posted my question. Well, there is no cure against
dumbness - you can only hope it doesn't hurt to much.

If one actually *does* update openssh-server, the server keys will be
regenerated.
Sorry for the noise.

Regards
mks


--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 05-13-2008, 07:48 PM
NoOp
 
Default Weak host-keys are not replaced during openssh update

On 05/13/2008 11:49 AM, Mario Vukelic wrote:
> On Tue, 2008-05-13 at 20:35 +0200, Markus Sch├Ânhaber wrote:
>> On two of the Gutsy servers I administer the weak host keys remain in
>> place after
>> aptitude update
>> aptitude safe-upgrade
>> and I am not prompted anything during the upgrade either.
>>
>> Anyone else seeing this?
>
> Maybe this:
>
> ´╗┐=============================================== ============
> Ubuntu Security Notice USN-612-2 May 13, 2008
> openssh vulnerability
> CVE-2008-0166, http://www.ubuntu.com/usn/usn-612-1
> ================================================== =========
>
> <snip>
>
> "Once the update is applied, weak user keys will be automatically
> rejected where possible (though they cannot be detected in all
> cases). If you are using such keys for user authentication,
> they will immediately stop working and will need to be replaced
> (see step 3)."
>
>
>
>

Probably worth posting:

http://www.ubuntu.com/usn/

#
USN-612-3: OpenVPN vulnerability
CVE-2008-0166
#
USN-612-2: OpenSSH vulnerability
CVE-2008-0166
#
USN-612-1: OpenSSL vulnerability
CVE-2008-0166

$ sudo ssh-vulnkey -a

checks all keys on the system.


--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 05-13-2008, 07:48 PM
Mario Vukelic
 
Default Weak host-keys are not replaced during openssh update

On Tue, 2008-05-13 at 21:40 +0200, Markus Sch÷nhaber wrote:
> Sorry for the noise.

And mine


--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 05-13-2008, 08:04 PM
"Bob Cortez"
 
Default Weak host-keys are not replaced during openssh update

$ sudo ssh-vulnkey -a
Not blacklisted: 2048 09:c4:3f:72:c2:e4:44:22:e2:46:5f:93:b0:c7:c4:b4 /etc/ssh/ssh_host_rsa_key.pub

Not blacklisted: 1024 74:8e:0c:ac:d3:0e:07:05:2f:3b:89:2b:ab:bd:19:6a /etc/ssh/ssh_host_dsa_key.pub

As usual, I have no clue what that means.

I have my update manager set to automatically install security updates. Had a number of them this morning that required a restart.* Where can I find the log of what was installed and if this problem has been addressed with the auto update?


Thanks,

Bob

*


--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 05-13-2008, 08:13 PM
NoOp
 
Default Weak host-keys are not replaced during openssh update

On 05/13/2008 12:40 PM, Markus Sch÷nhaber wrote:
> Mario Vukelic wrote:
>
>> On Tue, 2008-05-13 at 20:49 +0200, Mario Vukelic wrote:
>>> Maybe this: <snip>
>>
>> Um, probably not.
>>
>> Upon reflection I think that the upgrade does not replace any keys at
>> all. You need to do that yourself. At least that#s what the Debian
>> announcement says:
>>
>> "It is strongly recommended that all cryptographic key material which
>> has been generated by OpenSSL versions starting with 0.9.8c-1 on Debian
>> systems is recreated from scratch."
>>
>> http://article.gmane.org/gmane.linux.debian.security.announce/1614
>
> Which would contradict the section of the USN I cited.
>
> Anyway, the culprit is a temporary blindness on my part which prevented
> me from seeing that aptitude safe-upgrade did keep the update of
> openssh-server back. What makes this even harder to bear for me is the
> fact that I *did* read Karl Auer's post about "can't seem to get
> openssh-*" before I posted my question. Well, there is no cure against
> dumbness - you can only hope it doesn't hurt to much.
>
> If one actually *does* update openssh-server, the server keys will be
> regenerated.
> Sorry for the noise.
>
> Regards
> mks
>
>

Worked on one machine, but the others didn't so following the upgrade I
just purged and reinstalled openssh-server. The keys then get
regenerated. Of course my NX keys are wonked as well, so it's another
fun day :-)



--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 05-13-2008, 08:22 PM
NoOp
 
Default Weak host-keys are not replaced during openssh update

On 05/13/2008 01:04 PM, Bob Cortez wrote:
> $ sudo ssh-vulnkey -a
>
>> Not blacklisted: 2048 09:c4:3f:72:c2:e4:44:22:e2:46:5f:93:b0:c7:c4:b4
>> /etc/ssh/ssh_host_rsa_key.pub
>> Not blacklisted: 1024 74:8e:0c:ac:d3:0e:07:05:2f:3b:89:2b:ab:bd:19:6a
>> /etc/ssh/ssh_host_dsa_key.pub
>>
>
> As usual, I have no clue what that means.

Neither do I, but _think_ it means you are ok and that your keys are not
in the ssh blacklist.

I have/had several that showed: COMPROMISED: blah

So it's going to take me a while to figure out how to clean everything
out, regen, etc.

>
> I have my update manager set to automatically install security updates. Had
> a number of them this morning that required a restart. Where can I find the
> log of what was installed and if this problem has been addressed with the
> auto update?

Go to Synaptic (System|Administration|Synaptic...|File|History|Ma y 2008|day
That will show you what was upgraded/installed on that day.


--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 05-20-2008, 01:26 AM
Derek Broughton
 
Default Weak host-keys are not replaced during openssh update

Mario Vukelic wrote:

> On Tue, 2008-05-13 at 20:49 +0200, Mario Vukelic wrote:
>> Maybe this: <snip>
>
> Um, probably not.
>
> Upon reflection I think that the upgrade does not replace any keys at
> all. You need to do that yourself. At least that#s what the Debian
> announcement says:
>
> "It is strongly recommended that all cryptographic key material which
> has been generated by OpenSSL versions starting with 0.9.8c-1 on Debian
> systems is recreated from scratch."
>
> http://article.gmane.org/gmane.linux.debian.security.announce/1614

I got a prompt when I installed that seemed to replace some keys. I then
ran ssh-vulnkey to find the others and deleted all the ones that were
obsolete anyway, and now don't have any that are actually known to be
compromised (though there are still a couple of "unknown"s).
--
derek


--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 

Thread Tools




All times are GMT. The time now is 04:42 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ę2007 - 2008, www.linux-archive.org