OpenSSH Vulnerabilities

Tuesday

May202008

Tuesday, May 20, 2008 at 9:53

It seems that public key authentication isn't as save as you might have thought. That is if you're using a Debian based OpenSSH solution. This package can be found in many Linux distributions like;

Debian (duh ;) )
Ubuntu
Kubuntu
etc.

The problem is that the random number generator (which is of vital importance in generating key-pairs) isn't as random as you might think. It seems that there are only about 30.000 combinations in this specific generator. This leaves the door wide open for brute-force attacks.

So, the first you must do is update your OpenSSH software, and generate new keypairs for all devices / users which might have keys which were generated with the vulnerable OpenSSH software. Softwarepackages depending on OpenSSH are;

OpenVPN
DNSSEC
OpenSSH
Certificates used in TLS connections
etc.

More info on the subject can be found here [1, 2, 3].

Willem |

Reader Comments

There are no comments for this journal entry. To create a new comment, use the form below.

Post a New Comment

Enter your information below to add a new comment.

My response is on my own website »

Author:

Author Email (optional):

Author URL (optional):

Post:

↓ | ↑

Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>

Comment Moderation Is Enabled
Thanks to your local Internet comment spammer, your comments will be screened before they will be displayed. We're sincerely sorry for the inconvenience, but we're sure that you'll understand. Happy commenting :-)

Notify me of follow-up comments via email.