Re: openssh remote upgrade procedure?

Hi all, thanks for the suggestions so far. I talked local staff through backing up the sshd configuration file, purging the openssh-server package and then reinstalling openssh. I'm quite frustrated to say this didn't fix anything. Had exactly the same behaviour: debug1: Next authentication met

Re: openssh remote upgrade procedure?

Michel Messerschmidt schrieb: > 1) Create a new temporary keypair on a non-vulnerable system and >protect the key with a good passphrase. > 2) Install the temporary public key on the vulnerable system *before* >the upgrade. Because it is no weak key, it won't be blacklisted. >Note: Y

Hear her screaming your name in pleasure!

Regain your male attrctiveness! http://picturewest.com Ike Downs -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: openssl-blacklist & two keys per one pid

Jamie Strandboge wrote: I discovered that there is also 3rd key which you get if you pass empty file by -rand. Keys created in this way are still the same so it's another possible compromised key. I'm not sure if it worth spend time on counting this keys... Empty files vs non-existent res

Re: openssl-blacklist & two keys per one pid

On Mon, 19 May 2008, Jan Tomasek wrote: > Kees Cook wrote: >>> The rule is simple. When the ~/.rnd file doesn't exist I get one key >>> and in other situation I get another (that listed in Ubuntu >>> openssl-blacklist) key. Because of this problem openssl-blacklist has >>> to be twice big t

Re: openssl-blacklist & two keys per one pid

On Wed, May 21, 2008 at 2:46 PM, Dirk-Willem van Gulik <[EMAIL PROTECTED]> wrote: > On May 21, 2008, at 12:06 PM, Bodo Moeller wrote: >> A more elaborate explanation seems in place to make sure that >> we avoid uninentionally incomplete blacklists. >> I'd expect there to be some significant overl

Re: openssl-blacklist & two keys per one pid

On Monday 19 May 2008, Florian Weimer wrote: > BTW, it appears that the same blacklist can be used for -3 and -F4 > keys. (Just in case you haven't checked that already.) RSA keys with exponent 3 should probably not be used at all, because multiple implementations did not verify the signatures co

Re: openssl-blacklist & two keys per one pid

On May 21, 2008, at 12:06 PM, Bodo Moeller wrote: A more elaborate explanation seems in place to make sure that we avoid uninentionally incomplete blacklists. .. I'd expect there to be some significant overlapping between the blacklists, but these should still be different lists: Many RSA mo

Re: Accepted openssh-blacklist 0.3 (source all)

Hi, On Wed, May 21, 2008 at 05:42:43AM -0400, Simon Valiquette wrote: > Kees Cook un jour écrivit: >> On Wed, May 21, 2008 at 07:07:34AM +0200, Vincent Bernat wrote: >> >> I could be mistaken, but prior to openssl breaking, ssh-keygen stopped >> allowing dsa 2048 keys, which means there wasn't a w

Re: openssl-blacklist & two keys per one pid

On Mon, May 19, 2008 at 02:17:42PM +0200, Florian Weimer wrote: > * Kees Cook: >>> The rule is simple. When the ~/.rnd file doesn't exist I get one key and >>> in other situation I get another (that listed in Ubuntu >>> openssl-blacklist) key. Because of this problem openssl-blacklist has to

Re: Accepted openssh-blacklist 0.3 (source all)

Kees Cook un jour écrivit: On Wed, May 21, 2008 at 07:07:34AM +0200, Vincent Bernat wrote: I could be mistaken, but prior to openssl breaking, ssh-keygen stopped allowing dsa 2048 keys, which means there wasn't a way to generate bad ones: It didn't before. At least not directly from ssh-key

Re: Accepted openssh-blacklist 0.3 (source all)

On Wed, May 21, 2008 at 07:07:34AM +0200, Vincent Bernat wrote: > OoO En cette nuit nuageuse du mercredi 21 mai 2008, vers 01:32, Kees > Cook <[EMAIL PROTECTED]> disait: > > > * Add empty DSA-2048, since they weren't any bad ones. > > How is it possible? I could be mistaken, but prior to ope

Re: Debian OpenSSL Weak Key Detector (dowkd) version 0.9

* Florian Weimer: > I've just uploaded a new version of dowkd.pl to the usual place: > > > > (OpenPGP signature) I've just released version 0.9.3, which contains t