All-Time Popular
- Your New Geek: Care and Feeding Guide (35137)
- Another Dose of Common Sense (14730)
- It's "Dress Up Like a Whore" Day! (3885)
- Yeah, Because You Just Couldn't Do It Before Mac OS X (2021)
- We Live Near One of Those? (1646)
- Great News Comes All at Once (1222)
- Where the Hell Are the Notaries? (1198)
- Thank You Palm Bay! (1152)
- Old Tricks Still Work (1096)
- Pure Rage (1065)
Chatter
- Free/OSS is the best answerwillfe
- future of subscriptionAnonymous (not verified)
- Automation Rockswillfe
- Replaced by RobotsCajhne (not verified)
- Hah!willfe
- Good questionswillfe
- Im 33 and this kind of jokesAnonymous (not verified)
- ... cont.Anonymous (not verified)
- Thanks for this, I rememberAnonymous (not verified)
- Getting Boring...willfe
Shameless Plugs
Go check out lots of pretty charts showing my participation in the World Community Grid. Fight Cancer, AIDS, etc. by donating your computer’s spare cycles.
Current Activity
The Sound of a Million SSL/SSH Keys Dying at Once
Tue, 2008-05-13 17:25 — willfeRecently a Debian developer discovered that a change made (by Debian) in OpenSSL (the underlying toolkit that powers OpenSSH and OpenVPN, as well as providing a stable SSL system for open-source web servers) a couple years ago significantly reduced how much genuine “entropy” (randomness) was available at key creation time for users of the OpenSSL library. Oops 
The end result is that it is theoretically possible for an attacker to guess your private key with just a little bit of information from your system.
Ubuntu users already have updates waiting when they next check for updates, but there’s the additional step of re-creating your private keys too (and the requisite “installing them on your systems” step that follows) to be free of the impacts of this update. It’s actually pretty straightforward to do (and if you don’t know what the hell I’m talking about, you’re not affected anyway ).
The relevant advisories are:
A handy little tool called ssh-copy-id is a wonderful little bit of shorthand to help install your key on new systems quickly. On a regular box where you’ve just got the one key, you can just copy it over with a single command:
$ ssh-copy-id username@host
You’ll be prompted for your normal login password for username@host, but after that the tool automatically installs your public key in the right place on the target and from then on you shouldn’t need to take any extra steps for it to all “just work.” It’s spiffy.
BTW, anybody who’s gotten a bit rusty on their care and feeding of ssh and needs a refresher on how to regenerate a key, just run
$ ssh-keygen
by itself for an RSA key (add “-t dsa” to get a DSA key).
To the nay-sayers out there whining that this is an “obvious demonstration” that open source isn’t as secure as it’s claimed, bullshit. This is exactly how open source is more secure — somebody noticed a problem and it was fixed and rolled out within hours, not days, weeks, or months like with a closed-source vendor. Also, there is no known exploit for this vulnerability. Finally, this was a Debian-only (Ubuntu is based on Debian, so it and any other Debian-variant Linux distribution was affected as well) goof, and wasn’t a problem with the original OpenSSL on which this package was based.
- willfe's blog
- 107 reads