Results tagged “OpenSSL” from CLICK

OpenSSL bug in Debian, Ubuntu and ... anything based on Debian

By Steven Rosenberg on May 15, 2008 5:00 PM | | Comments (0) |

So who hasn't heard about the bug in OpenSSL in Debian-based distributions that renders any SSH keys created in the past two years extremely weak from a cryptographic standpoint?

The problem is that instead of many millions of potential cryptographically generated keys, due to the error there have been only 32,767. That's easy for a hacker to crack. Not a good thing at all.

According to my feeble understanding of the issue, there was a problem with the random-number generator used for the process of creating the keys needed for secure access to servers. And yes, I do use OpenSSL quite a bit and will be discarding and re-generating my keys very soon now. As soon as I figure out how to do it, that is.

Here is one of the many Debian developer/maintainer blog posts that attempts to explain the whole thing.

And here is the Debian Security announcement with instructions on how to deal with it.

Some are calling this bug the worst thing to ever happen to the Debian project. The worst part is that systems have been vulnerable for the past two years. And this means Ubuntu, too.

There's been plenty of carping and gloating about this on the OpenBSD mailing lists. OpenBSD, in case you don't know, is the project where OpenSSL originated, and there's been plenty of blaming going on. And since OpenBSD is extremely focused on security and cryptography, those who develop and use it are extremely ... interested in the snafu.

What I'd like to see is an easy way for users to know that they need to regenerate their SSH keys -- along with an equally easy way to do it. To that end:

Here's a really good Ubuntu blog post on how to make it right on your machines.

The security announcement from Ubuntu is also very helpful.

And in case it got missed in any of these others (although I can't imagine that it did), here's a post that goes into how to generate new keys for OpenSSH-server.

In my case, I think I only have server keys on my Debian Etch box. I don't recall using OpenSSL as a client on any Debian or Ubuntu installs because I've been using MacSSH on the Powerbook 1400 and PuTTY on the Windows box as clients. And the only servers affected are the aforementioned Debian Etch install.

The only other server on which I have OpenSSL-server is my OpenBSD machine, which is unaffected by all of this. As a point (or two) of information, In OpenBSD you get both the OpenSSL client and server in the base system; in Debian you get the client but must add the server if you want it.

Final note: I'm no expert when it comes to these things, hence the voluminous number of links included in this post. I'll be studying them myself over the next few days or so.

Tags:

Tech Talk column

Steven Rosenberg's weekly Tech Talk column, which appears Saturdays in the Los Angeles Daily News, is now available on the Daily News Technology page.

About this blog

New ways to sign in to comment: I just added the ability for prospective commenters on this blog to sign in using their AOL, Yahoo! and Wordpress.com accounts (for the past 200 posts anyway ... more than that will take an extensive, middle-of-the-night rebuild). That's in addition to the other sign-in choices, which include starting a Movable Type account on this blog, Typekey, OpenID, Live Journal and Vox. If you have trouble getting your Movable Type account verified, or any of the other sign-in options are not working properly, please e-mail me. With these added ways of signing in, there's more reason than ever for you to make a comment (or several!).



Steven Rosenberg aims to learn what he does not know. He writes about it here.


Recent Comments

Powered by Movable Type 4.25

Search

  • Case sensitive
  • Regex search

Tags

LXer

Links

Daily News technology
LXer
Distrowatch
Linus' Blog
David Pogue
BoingBoing
Linux Today
TuxRadar
Linux.com
Linux Planet
The Open Road
Linux Outlaws podcast
Dan Lynch
Fabian Scherschel
The VAR Guy
Larry the Free Software Guy
Chess Griffin
Linux Reality podcast
Desktop Linux
Practical Technology
Linux Devices
ZDNet
ZDNet U.K.
iTWire
CNet News
Webware
Beyond Binary
TechCrunch
The Register
Ars Technica
Reg Developer
Computerworld
Computerworld blogs
Steven J. Vaughan-Nichols at Computerworld
Debian
Planet Debian
Debian Forums
Debian News
debianHELP
debiantutorials.org
The Debian User
Wolfgang Lonien
Debian-News.net
Debian Administration
Debian Admin
Debian Weather
Aaron Toponce
Ubuntu
Xubuntu
Kubuntu
Edubuntu
Gobuntu
Planet Ubuntu
Ubuntu Forums
Ubuntu Geek
Works With U
OMG! Ubuntu!
I' Been to Ubuntu
Tanner Helland
Dustin Kirkland
Ubuntu UK Podcast
Popey
gNewSense
CrunchBang Linux
OpenBSD
OpenBSD Journal
OpenBSD Ports
OpenBSD 101
Planet.OpenBSD.nu
jggimi's OpenBSD live CD
DaemonForums
BSDanywhere
Marc Balmer
Denny's OpenBSD blog
Polarwave's OpenBSD Tips and Tricks
Binary Updates for OpenBSD
Puppy Linux
Damn Small Linux
Tiny Core Linux
Lucky 13's Linux blog (lots of Tiny Core)
Lucky 13's BSD blog
PCLinuxOS
Mandriva
Red Hat
Red Hat News
Red Hat Blogs
Red Hat: Truth Happens
Red Hat Magazine
CentOS
Planet CentOS
Fedora
Slackware
Slackbuilds
Robby's Slackware Packages
Slackblogs
dropline GNOME for Slackware
GNOME Slackbuild
GWARE - GNOME for Slackware
Wolvix
Zenwalk Linux
Vector Linux
Slax
Splack Linux — Slackware for Sparc
Nonux
How to Forge
marc.info BSD and Linux mailing list archive
FreeBSD
FreeBSD, the Unknown Giant
A Year in the Life of a BSD Guru
NetBSD
hubertf's NetBSD Blog
PC-BSD
DesktopBSD
DragonFlyBSD
DragonFlyBSD Digest
DesktopBSD
BSD Talk podcast
BSD Magazine
OpenSolaris
MilaX
BeleniX
DeLi Linux
Linux Loop
Electronista
Engadget
Gizmodo
xkcd – A webcomic of romance, sarcasm, math and language
Nixie Pixel

Advertisement

Other blogs

HS FOOT: Great day for ex-Valencia teammates Herrick, Vereen in Daily News High School Spotlight
First Loss in Inside USC with Scott Wolf
Sampson, Schmid, Chivas USA & Baseless Rumors in 100 Percent Soccer
A cool little note... in Inside UCLA with Jon Gold
Bynum sits out again in Inside the Lakers