Debian Linux Resources - OpenSSHd / OpenSSL Blacklist Keys

May 13th 2008 was a really bad day for the Debian project, probably one of the worst days in the history of Debian. Luciano Bello discovered that the random number generator in Debian’s openssl package is predictable. This is caused by an incorrect Debian-specific change to the openssl package (CVE-2008-0166). As a result, cryptographic key material may be guessable. Systems which are running any of the following releases are affected: o Debian 4.0 (etch): http://www.debian.org/security/2008/dsa-1571 o Ubuntu 7.04 (Feisty), 7.10 (Gutsy), 8.04 LTS (Hardy): http://www.ubuntu.com/usn/usn-612-1 o Debian Etch based Distributions To check if vulnerable keys exist on a debian based installation: # ssh-vulnkey To check all your keys in the standard locations: # ssh-vulnkey -a To check a key in a non-standard location: # ssh-vulnkey /path/to/key Check installed version of SSHd: dpkg -l *ssh* | grep ^i http://wiki.debian.org/SSLkeys http://www.debian.org/security/key-rollover/ -------------------------------------------------------------------------------- http://www.cyberciti.biz/faq/linux-publickey-blacklisted-see-ssh-vulnkey1-error/ http://www.cyberciti.biz/faq/howto-regenerate-openssh-host-keys/ http://www.cyberciti.biz/tips/impact-of-debian-openssl-vulnerability.html tail /var/log/auth.log sshd[9350]: Public key 36:e4:66:5a:f6:24:79:68:97:58:d4:72:a5:8e:0d:4b blacklisted (see ssh-vulnkey(1)) I'm using Ubuntu Linux as desktop operating system. How do I fix this error? This is well known security flow in Debian / Ubuntu Linux OpenSSL package. First, you need to update your Ubuntu Linux desktop software, by typing following commands: $ sudo apt-get update $ sudo apt-get upgrade This will update openssl, openssh server and client packages for you. This will also regenerate COMPROMISED keys stored /etc/ssh/ directory. However, this will update your personal COMPROMISED keys stored at $HOME/.ssh. Type the following command to list all COMPROMISED keys: $ sudo ssh-vulnkey -a ssh-vulnkey checks a key against a blacklist of compromised keys. You must remove all COMPROMISED keys and regenerate them again using ssh-keygen command. $ cd ~/.ssh $ rm id_* $ ssh-keygen -t rsa -OR- $ ssh-keygen -t dsa Upload new id_rsa.pub or id_dsa.pub file to remote host and overwrite existing authorized_keys2 file, enter: $ scp ~/.ssh/id_rsa.pub user@in013.example.com:.ssh/authorized_keys2 If you have multiple keys, then copy ~/.ssh/id_rsa.pub to $HOME and manually delete / update authorized_keys2 file: $ scp ~/.ssh/id_rsa.pub user@in013.example.com:~/ Find out line number, enter: $ grep 'your-desktop-name' ~/.ssh/authorized_keys2 Use vi to open COMPROMISED key, enter (replace N with actual line number): $ vi +N ~/.ssh/authorized_keys2 Delete file pressing dd once. Save and close the file. Append new public key, enter: $ cat ~/id_rsa.pub >> ~/.ssh/authorized_keys2 --------------------------------------------------------------------------------