May 14, 2008
VM Security Updates
PeteE @ 2:00 pm
Since the 8.05 Jay Cooke VM release, Debian has announced several security updates which affect the Deki Wiki VM. Because reading the debian-security-announce mailing list probably isn’t your idea of fun (though I think it is), we’ve started tracking the Deki Wiki specific updates on the DekiWiki VM Security Updates page.
One of the latest vulnerabilities is particularly annoying. According to DSA-1576-1:
The recently announced vulnerability in Debian’s openssl package (DSA-1571-1, CVE-2008-0166) indirectly affects OpenSSH. As a result, all user and host keys generated using broken versions of the openssl package must be considered untrustworthy, even after the openssl update has been applied.
To apply the security fix for openssl and openssh you’ll need run the following commands (as root)
apt-get update apt-get upgrade apt-get install openssh-server openssh-client
This will regenerate a secure host key for you. The next time you log in via SSH you will most likely receive the following error message:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is 52:8e:93:04:64:a5:7e:ac:c8:2c:2b:9a:96:ad:66:32. Please contact your system administrator. Add correct host key in /root/.ssh/known_hosts to get rid of this message. Offending key in /root/.ssh/known_hosts:58 RSA host key for 192.168.1.215 has changed and you have requested strict checking. Host key verification failed.
For most people this is simply an annoyance. However, if you have any automated processes that use the old ssh keys to log in, you will need to update your keys. The DSA has a lot of good info, and instructions on how to use ssh-vulnkey too identify weak keys so I highly recommend giving it a good read.
As always, if you have any questions please drop by the forums or IRC!
No Comments »
No comments yet.
RSS feed for comments on this post. TrackBack URL
Leave a comment