How-To regenerate your SSH/SSL Keys - Debian Security Advisory 1571

farslayer · 05-14-2008, 09:17 AM

I'm sure everyone else is working on this today no ?

Quote:

In Debian Security Advisory 1571 (New openssl packages fix predictable random number generator), the Debian Security Team disclosed a vulnerability in the openssl package that makes many cryptographic keys that are used for authentication (e.g. through SSH) or signing (e.g. web server certificates) potentially vulnerable.

Debian has posted a wiki HOW-TO for the key regeneration process.
http://wiki.debian.org/SSLkeys

I also think the following page will be of value once it has some content..
How-To implement Key Rollover in various Debian applications

//edit: The KEY ROLLOVER page has been updated with content.

//moderator.note: WD for posting, I stickied it for the moment.

Telemachos · 05-15-2008, 09:34 AM

Here's a quick howto on generating new keys: http://www.softec.st/en/OpenSource/D...ateNewSsh.html

leibniz · 06-11-2008, 02:44 PM

I've read the security advisory and many how-tos, as well as the links in the post above.

However, when I regenerate the host keys, blacklisted keys are regenerated !

What's up with that ??

Code:

debian:~# rm /etc/ssh/ssh_host*
debian:~# dpkg-reconfigure openssh-server
Creating SSH2 RSA key; this may take some time ...
Creating SSH2 DSA key; this may take some time ...
Host key 39:82:2c:e2:b0:de:88:1e:49:ff:a4:33:XX:XX:XX:XX blacklisted (see ssh-vulnkey(1))
Host key 6e:92:88:e0:de:10:03:86:60:7c:1d:b1:XX:XX:XX:XX blacklisted (see ssh-vulnkey(1))
Restarting OpenBSD Secure Shell server: sshdHost key 39:82:2c:e2:b0:de:88:1e:49:ff:a4:33:XX:XX:XX:XX blacklisted (see ssh-vulnkey(1))
Host key 6e:92:88:e0:de:10:03:86:60:7c:1d:b1:3e:ee:27:c8 blacklisted (see ssh-vulnkey(1))
.

Thoughts?

EDIT: Etch / 4.0 stable, x86_64 version. Yes, I'm up2date.

Code:

debian:~# apt-get install openssh-server
Reading package lists... Done
Building dependency tree... Done
openssh-server is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 4 not upgraded.
debian:~# dpkg -l | grep -e openss
ii  openssh-blacklist                        0.1.1                                list of blacklisted OpenSSH RSA and DSA keys
ii  openssh-client                           4.3p2-9etch2                         Secure shell client, an rlogin/rsh/rcp repla
ii  openssh-server                           4.3p2-9etch2                         Secure shell server, an rshd replacement
ii  openssl                                  0.9.8c-4etch3                        Secure Socket Layer (SSL) binary and related
ii  ssl-cert                                 1.0.14                               Simple debconf wrapper for openssl
debian:~#

leibniz · 06-12-2008, 09:08 PM

Never mind. I found the problem. Thanks anyway.

farslayer · 06-12-2008, 10:09 PM

would you care to share your solution so others may benefit if they run into the same issue ?

mcs · 07-07-2008, 07:51 AM

Quote:

Originally Posted by leibniz

Never mind. I found the problem. Thanks anyway.

Hi,
I have exactly the same problem. Could you please tell us your solution???

Thank you very much
Michael

leibniz · 07-07-2008, 10:11 AM

The problem is that the Debian system was too up to date.

Downgrade libssl (and linbssl-dev, an openssl if necessary) exactly to version 0.9.8c (as noted in the security advisory) version and it should then work.

You still have to regenerate keys, but at least the system will generate good keys.