Lloyd
05-16-2008, 07:03 PM
This is an emergency security issue for nearly all Rimuhosting customers, whether or not they run Debian Etch or Debian derivative systems.
It was announced on May 13 that the Debian openssl package in use since 2006 generates ssl keys that fall in a very small, predictable group of keys. These keys can be broken with only about 20 minutes of brute-forcing. The brute-forcing scripts have already been released into the "wild." You can run software on your server to identify compromised keys from a "blacklist" of key signatures in a fraction of a second.
Rimuhosting customers are affected in 2 ways.
First, Rimuhosting staff ssh keys are (most of them, anyway) compromised. I believe these keys are present on every machine that has had a support ticket answered. With only the presence of a single compromised public key in your file /root/.ssh/authorized_keys, your machine can easily be hacked into. The detection software mentioned in resources links below will allow you to identify the compromised Rimuhosting staff keys. If you are unable to run tests for compromised keys on your system immediately, it is best to remove all the Rimuhosting staff private keys from your authorized_keys file, leaving only the "master" Rimuhosting key. Or, you can turn off SSL authentication for your sshd server.
Second, if you have generated ssl keys (server host key, ssh user login key, secure cert, Postfix TTL key, etc.) on a Debian-based system since 2006, the keys will be compromised. If your keys are vulnerable you need to upgrade your openssl packages and generate new keys NOW.
The Debian developers have included, with the new openssl packages, a program to identify compromised keys, and you will find instructions below for replacing keys used by various programs.
Resources:
http://www.debian.org/security/2008/dsa-1576
http://metasploit.com/users/hdm/tools/debian-openssl/
http://www.debian.org/security/key-rollover/
It was announced on May 13 that the Debian openssl package in use since 2006 generates ssl keys that fall in a very small, predictable group of keys. These keys can be broken with only about 20 minutes of brute-forcing. The brute-forcing scripts have already been released into the "wild." You can run software on your server to identify compromised keys from a "blacklist" of key signatures in a fraction of a second.
Rimuhosting customers are affected in 2 ways.
First, Rimuhosting staff ssh keys are (most of them, anyway) compromised. I believe these keys are present on every machine that has had a support ticket answered. With only the presence of a single compromised public key in your file /root/.ssh/authorized_keys, your machine can easily be hacked into. The detection software mentioned in resources links below will allow you to identify the compromised Rimuhosting staff keys. If you are unable to run tests for compromised keys on your system immediately, it is best to remove all the Rimuhosting staff private keys from your authorized_keys file, leaving only the "master" Rimuhosting key. Or, you can turn off SSL authentication for your sshd server.
Second, if you have generated ssl keys (server host key, ssh user login key, secure cert, Postfix TTL key, etc.) on a Debian-based system since 2006, the keys will be compromised. If your keys are vulnerable you need to upgrade your openssl packages and generate new keys NOW.
The Debian developers have included, with the new openssl packages, a program to identify compromised keys, and you will find instructions below for replacing keys used by various programs.
Resources:
http://www.debian.org/security/2008/dsa-1576
http://metasploit.com/users/hdm/tools/debian-openssl/
http://www.debian.org/security/key-rollover/