On Thu, May 15, 2008 at 3:13 PM, Mark Carlson <[EMAIL PROTECTED]> wrote: > If you don't use have any password-less logins set up, no need to > worry (unless you generated your own SSL certs on these systems, which > is also affected, so regenerate those too.) > > http://isc.sans.org/diary.html?storyid=4420 > > The meat of it: > > "It is obvious that this is highly critical – if you are running a > Debian or Ubuntu system, and you are using keys for SSH authentication > (ironically, that's something we've been recommending for a long > time), and those keys were generated between September 2006 and May > 13th 2008 then you are vulnerable. In other words, those secure > systems can be very easily brute forced. What's even worse, H D Moore > said that he will soon release a brute force tool that will allow an > attacker easy access to any SSH account that uses public key > authentication." > > Whoops! If your SSH port faces the outside world and you have a > vulnerable key, this basically means that all someone has to do is > guess your username and a flurry of connection attempts later... > owned! (And may $deity help you if you have a key set up for root!) > > Do not delay. Get the updated version and regenerate your keys NOW! > > -Mark C.
Mark, if you are running dapper on a box on the internet, does that mean that its not sufficient to do the "apt-get update; apt-get upgrade"? Do you also have to use ssh-keygen to replace the keys in /etc/ssh and do that manually. I have two users on this machine - no password or key for root. Do I have to: cp /dev/null .ssh/authorized_keys get back to my client machine and: ssh-keygen -t ... ssh-copy-id ... to put a new key on the server machine? _______________________________________________ clug-talk mailing list [email protected] http://clug.ca/mailman/listinfo/clug-talk_clug.ca Mailing List Guidelines (http://clug.ca/ml_guidelines.php) **Please remove these lines when replying
