big debian and ubuntu security alert - Linux

This is a discussion on big debian and ubuntu security alert - Linux ; I believe there are many Debian and Ubuntu users here. Important security alert: IMPORTANT NOTE: just installing the fixed software is not sufficient. You have to deal with any tainted keys that were generated in the last couple of years ...

+ Reply to Thread
Page 1 of 3 1 2 3 LastLast
Results 1 to 20 of 51

Thread: big debian and ubuntu security alert

  1. big debian and ubuntu security alert


    I believe there are many Debian and Ubuntu users here. Important
    security alert:



    IMPORTANT NOTE: just installing the fixed software is not sufficient.
    You have to deal with any tainted keys that were generated in the last
    couple of years and are still in use.

    I changed my ssh keys a couple month ago...but I don't remember if I
    generated my new key on one of my Ubuntu systems or one of my Macs, so
    have no idea at this time if I have a problem here or not. :-(



    --
    --Tim Smith

  2. Re: big debian and ubuntu security alert

    Tim Smith wrote:
    > I believe there are many Debian and Ubuntu users here. Important
    > security alert:
    >
    >


    Does it affect the openssl-0.9.8g from the official website?

    --
    @~@ Might, Courage, Vision, SINCERITY.
    / v \ Simplicity is Beauty! May the Force and Farce be with you!
    /( _ )\ (Xubuntu 7.10) Linux 2.6.25.3
    ^ ^ 19:50:01 up 1 day 3:38 1 user load average: 1.20 1.07 1.02
    ? ? (CSSA):
    http://www.swd.gov.hk/tc/index/site_...ub_addressesa/

  3. Re: big debian and ubuntu security alert

    Tim Smith writes:

    > I believe there are many Debian and Ubuntu users here. Important
    > security alert:
    >
    >
    >
    > IMPORTANT NOTE: just installing the fixed software is not sufficient.
    > You have to deal with any tainted keys that were generated in the last
    > couple of years and are still in use.
    >
    > I changed my ssh keys a couple month ago...but I don't remember if I
    > generated my new key on one of my Ubuntu systems or one of my Macs, so
    > have no idea at this time if I have a problem here or not. :-(


    Youch. And to think that people like HPT keep pimping Debian Etch as the
    "failsafe server". But as some of us point out, ALL SW is prone to
    errors. Debian Etch too. "Stable" does not mean what he thinks it means.

    ,----
    | The first vulnerable version, 0.9.8c-1, was uploaded to the unstable
    | distribution on 2006-09-17, and has since propagated to the testing and
    | current stable (etch) distributions. The old stable distribution
    | (sarge) is not affected.
    `----

  4. Re: big debian and ubuntu security alert

    > Youch. And to think that people like HPT keep pimping Debian Etch as the
    > "failsafe server". But as some of us point out, ALL SW is prone to
    > errors. Debian Etch too. "Stable" does not mean what he thinks it means.


    Seems that it's a bug from the backporting process....

    --
    @~@ Might, Courage, Vision, SINCERITY.
    / v \ Simplicity is Beauty! May the Force and Farce be with you!
    /( _ )\ (Xubuntu 7.10) Linux 2.6.25.3
    ^ ^ 20:51:01 up 1 day 4:39 1 user load average: 1.09 1.10 1.03
    ? ? (CSSA):
    http://www.swd.gov.hk/tc/index/site_...ub_addressesa/

  5. Re: big debian and ubuntu security alert

    On Wed, 14 May 2008 04:48:09 -0700, Tim Smith wrote:

    > I believe there are many Debian and Ubuntu users here. Important
    > security alert:
    >
    >
    >
    > IMPORTANT NOTE: just installing the fixed software is not sufficient.
    > You have to deal with any tainted keys that were generated in the last
    > couple of years and are still in use.
    >
    > I changed my ssh keys a couple month ago...but I don't remember if I
    > generated my new key on one of my Ubuntu systems or one of my Macs, so
    > have no idea at this time if I have a problem here or not. :-(


    Interesting that Roy Schestowitz missed this one.
    Not surprising though as he missed it when his own server
    www.schestowitz.com was hacked and trojan infested.



    --
    Moshe Goldfarb
    Collector of soaps from around the globe.
    Please visit The Hall of Linux Idiots:
    http://linuxidiots.blogspot.com/

  6. Re: big debian and ubuntu security alert

    On 2008-05-14, Moshe Goldfarb wrote:
    > On Wed, 14 May 2008 04:48:09 -0700, Tim Smith wrote:
    >
    >> I believe there are many Debian and Ubuntu users here. Important
    >> security alert:
    >>
    >>
    >>
    >> IMPORTANT NOTE: just installing the fixed software is not sufficient.
    >> You have to deal with any tainted keys that were generated in the last
    >> couple of years and are still in use.
    >>
    >> I changed my ssh keys a couple month ago...but I don't remember if I
    >> generated my new key on one of my Ubuntu systems or one of my Macs, so
    >> have no idea at this time if I have a problem here or not. :-(

    >
    > Interesting that Roy Schestowitz missed this one.
    > Not surprising though as he missed it when his own server
    > www.schestowitz.com was hacked and trojan infested.


    I am still waiting for a good picture of impact from this one. (ie can
    someone fully remote log on as an authorized user whose key is in
    authorized_keys)

    Looks quite bad. I spent 1.5 hours last night redoing my SSH trust
    network.

    --
    Due to extreme spam originating from Google Groups, and their inattention
    to spammers, I and many others block all articles originating
    from Google Groups. If you want your postings to be seen by
    more readers you will need to find a different means of
    posting on Usenet.
    http://improve-usenet.org/

  7. Re: big debian and ubuntu security alert

    * Tim Smith peremptorily fired off this memo:

    > I believe there are many Debian and Ubuntu users here. Important
    > security alert:
    >
    >
    >
    > IMPORTANT NOTE: just installing the fixed software is not sufficient.
    > You have to deal with any tainted keys that were generated in the last
    > couple of years and are still in use.
    >
    > I changed my ssh keys a couple month ago...but I don't remember if I
    > generated my new key on one of my Ubuntu systems or one of my Macs, so
    > have no idea at this time if I have a problem here or not. :-(


    Dang.

    Anyway, thanks for the follow-up/heads-up, Tim.

    Damn Debian slopware!

    The following URL details the cleanup process:

    http://wiki.debian.org/SSLkeys

    --

  8. Re: big debian and ubuntu security alert

    Ignoramus12901 writes:

    > On 2008-05-14, Moshe Goldfarb wrote:
    >> On Wed, 14 May 2008 04:48:09 -0700, Tim Smith wrote:
    >>
    >>> I believe there are many Debian and Ubuntu users here. Important
    >>> security alert:
    >>>
    >>>
    >>>
    >>> IMPORTANT NOTE: just installing the fixed software is not sufficient.
    >>> You have to deal with any tainted keys that were generated in the last
    >>> couple of years and are still in use.
    >>>
    >>> I changed my ssh keys a couple month ago...but I don't remember if I
    >>> generated my new key on one of my Ubuntu systems or one of my Macs, so
    >>> have no idea at this time if I have a problem here or not. :-(

    >>
    >> Interesting that Roy Schestowitz missed this one.
    >> Not surprising though as he missed it when his own server
    >> www.schestowitz.com was hacked and trojan infested.

    >
    > I am still waiting for a good picture of impact from this one. (ie can
    > someone fully remote log on as an authorized user whose key is in
    > authorized_keys)
    >
    > Looks quite bad. I spent 1.5 hours last night redoing my SSH trust
    > network.


    It is a real PITA.

    What they should do is have it recreate everything for you. As it is,
    it is a confusing mess with few people really realising the impact. So
    much for "many eyes".

  9. Re: big debian and ubuntu security alert


    "Tim Smith" wrote in message
    news:reply_in_group-10C959.04480914052008@news.supernews.com...
    >
    > I believe there are many Debian and Ubuntu users here. Important
    > security alert:
    >
    >
    >
    > IMPORTANT NOTE: just installing the fixed software is not sufficient.
    > You have to deal with any tainted keys that were generated in the last
    > couple of years and are still in use.
    >
    > I changed my ssh keys a couple month ago...but I don't remember if I
    > generated my new key on one of my Ubuntu systems or one of my Macs, so
    > have no idea at this time if I have a problem here or not. :-(



    Well I guess I know what I'll be doing the next couple of days. What a PITA.
    It's not like I can just update some libraries and be done with the
    vulnerability. I need to generate new key-pairs for every machine and then
    update all of the private keys on the various computers that access the
    network.


    > --
    > --Tim Smith



    ** Posted from http://www.teranews.com **

  10. Re: big debian and ubuntu security alert

    Hadron wrote:

    > Ignoramus12901 writes:
    >
    >> On 2008-05-14, Moshe Goldfarb wrote:
    >>> On Wed, 14 May 2008 04:48:09 -0700, Tim Smith wrote:
    >>>
    >>>> I believe there are many Debian and Ubuntu users here. Important
    >>>> security alert:
    >>>>
    >>>>
    >>>>
    >>>> IMPORTANT NOTE: just installing the fixed software is not sufficient.
    >>>> You have to deal with any tainted keys that were generated in the last
    >>>> couple of years and are still in use.
    >>>>
    >>>> I changed my ssh keys a couple month ago...but I don't remember if I
    >>>> generated my new key on one of my Ubuntu systems or one of my Macs, so
    >>>> have no idea at this time if I have a problem here or not. :-(
    >>>
    >>> Interesting that Roy Schestowitz missed this one.
    >>> Not surprising though as he missed it when his own server
    >>> www.schestowitz.com was hacked and trojan infested.

    >>
    >> I am still waiting for a good picture of impact from this one. (ie can
    >> someone fully remote log on as an authorized user whose key is in
    >> authorized_keys)
    >>
    >> Looks quite bad. I spent 1.5 hours last night redoing my SSH trust
    >> network.

    >
    > It is a real PITA.
    >
    > What they should do is have it recreate everything for you. As it is,
    > it is a confusing mess with few people really realising the impact. So
    > much for "many eyes".


    I updated three machines this morning, and the keys changed on all of them.
    It was not that big a deal for me - I'm just glad the issue is
    resolved.
    --
    Mike McGinn
    Registered Linux User 377849
    "more kidneys than eyes!"
    Code wrangling for over twenty years.
    "Forsan et haec olim meminisse iuvabit."
    When the going gets weird, the weird turn pro.

  11. Re: big debian and ubuntu security alert

    "Ezekiel" writes:

    > "Tim Smith" wrote in message
    > news:reply_in_group-10C959.04480914052008@news.supernews.com...
    >>
    >> I believe there are many Debian and Ubuntu users here. Important
    >> security alert:
    >>
    >>
    >>
    >> IMPORTANT NOTE: just installing the fixed software is not sufficient.
    >> You have to deal with any tainted keys that were generated in the last
    >> couple of years and are still in use.
    >>
    >> I changed my ssh keys a couple month ago...but I don't remember if I
    >> generated my new key on one of my Ubuntu systems or one of my Macs, so
    >> have no idea at this time if I have a problem here or not. :-(

    >
    >
    > Well I guess I know what I'll be doing the next couple of days. What a PITA.
    > It's not like I can just update some libraries and be done with the
    > vulnerability. I need to generate new key-pairs for every machine and then
    > update all of the private keys on the various computers that access the
    > network.
    >
    >
    >> --
    >> --Tim Smith

    >
    >
    > ** Posted from http://www.teranews.com **


    And, I suspect, copy the public keys to them too. I'm still not 100%
    sure what *needs* (as opposed to *must*) to be done.

  12. Re: big debian and ubuntu security alert

    Mike McGinn writes:

    > Hadron wrote:
    >
    >> Ignoramus12901 writes:
    >>
    >>> On 2008-05-14, Moshe Goldfarb wrote:
    >>>> On Wed, 14 May 2008 04:48:09 -0700, Tim Smith wrote:
    >>>>
    >>>>> I believe there are many Debian and Ubuntu users here. Important
    >>>>> security alert:
    >>>>>
    >>>>>
    >>>>>
    >>>>> IMPORTANT NOTE: just installing the fixed software is not sufficient.
    >>>>> You have to deal with any tainted keys that were generated in the last
    >>>>> couple of years and are still in use.
    >>>>>
    >>>>> I changed my ssh keys a couple month ago...but I don't remember if I
    >>>>> generated my new key on one of my Ubuntu systems or one of my Macs, so
    >>>>> have no idea at this time if I have a problem here or not. :-(
    >>>>
    >>>> Interesting that Roy Schestowitz missed this one.
    >>>> Not surprising though as he missed it when his own server
    >>>> www.schestowitz.com was hacked and trojan infested.
    >>>
    >>> I am still waiting for a good picture of impact from this one. (ie can
    >>> someone fully remote log on as an authorized user whose key is in
    >>> authorized_keys)
    >>>
    >>> Looks quite bad. I spent 1.5 hours last night redoing my SSH trust
    >>> network.

    >>
    >> It is a real PITA.
    >>
    >> What they should do is have it recreate everything for you. As it is,
    >> it is a confusing mess with few people really realising the impact. So
    >> much for "many eyes".

    >
    > I updated three machines this morning, and the keys changed on all of them.
    > It was not that big a deal for me - I'm just glad the issue is
    > resolved.


    Can you post a link to the process to follow? I have 4 debian machines
    networked with ssh over the net. One pair using sshfs. Is it machine
    specific keys too? Or only user keys for all users which can connect?

  13. Re: big debian and ubuntu security alert


    "Hadron" wrote in message
    news:g0f3h9$pb5$2@registered.motzarella.org...
    > "Ezekiel" writes:
    >
    >> "Tim Smith" wrote in message
    >> news:reply_in_group-10C959.04480914052008@news.supernews.com...
    >>>
    >>> I believe there are many Debian and Ubuntu users here. Important
    >>> security alert:
    >>>
    >>>
    >>>
    >>> IMPORTANT NOTE: just installing the fixed software is not sufficient.
    >>> You have to deal with any tainted keys that were generated in the last
    >>> couple of years and are still in use.
    >>>
    >>> I changed my ssh keys a couple month ago...but I don't remember if I
    >>> generated my new key on one of my Ubuntu systems or one of my Macs, so
    >>> have no idea at this time if I have a problem here or not. :-(

    >>
    >>
    >> Well I guess I know what I'll be doing the next couple of days. What a
    >> PITA.
    >> It's not like I can just update some libraries and be done with the
    >> vulnerability. I need to generate new key-pairs for every machine and
    >> then
    >> update all of the private keys on the various computers that access the
    >> network.
    >>
    >>
    >>> --
    >>> --Tim Smith

    >>
    >>

    > And, I suspect, copy the public keys to them too. I'm still not 100%
    > sure what *needs* (as opposed to *must*) to be done.


    The way I read the security bulletin, previously generated keys are
    basically garbage.

    You may be able to get buy with less, but the safest thing is going to be to
    simply throw away all of the old keys and generate new ones.




    ** Posted from http://www.teranews.com **

  14. Re: big debian and ubuntu security alert

    On 2008-05-14, Hadron wrote:
    > Ignoramus12901 writes:
    >
    >> On 2008-05-14, Moshe Goldfarb wrote:
    >>> On Wed, 14 May 2008 04:48:09 -0700, Tim Smith wrote:
    >>>
    >>>> I believe there are many Debian and Ubuntu users here. Important
    >>>> security alert:
    >>>>
    >>>>
    >>>>
    >>>> IMPORTANT NOTE: just installing the fixed software is not sufficient.
    >>>> You have to deal with any tainted keys that were generated in the last
    >>>> couple of years and are still in use.
    >>>>
    >>>> I changed my ssh keys a couple month ago...but I don't remember if I
    >>>> generated my new key on one of my Ubuntu systems or one of my Macs, so
    >>>> have no idea at this time if I have a problem here or not. :-(
    >>>
    >>> Interesting that Roy Schestowitz missed this one.
    >>> Not surprising though as he missed it when his own server
    >>> www.schestowitz.com was hacked and trojan infested.

    >>
    >> I am still waiting for a good picture of impact from this one. (ie can
    >> someone fully remote log on as an authorized user whose key is in
    >> authorized_keys)
    >>
    >> Looks quite bad. I spent 1.5 hours last night redoing my SSH trust
    >> network.

    >
    > It is a real PITA.
    >
    > What they should do is have it recreate everything for you. As it is,
    > it is a confusing mess with few people really realising the impact. So
    > much for "many eyes".


    Recreate what?

    Recreate keys and then go to remote machines and replace them in
    authorized_keys?

    That's not really possible.

    This is a terrible mess. I wrote a script (see below) to check my
    machines for any bad keys.

    The "many eyes" did actually notice the problem.

    The issue here is the "many hands" messing with crypto stuff that they
    have no understanding of (and no appreciation of how fragile
    cryptographic security is).

    Also unclear is whether there are any working exploits that are being
    used.

    #!/bin/bash

    DIR=/tmp

    test -d $DIR || mkdir $DIR; chmod 711 $DIR

    test -e $DIR/dowkd.pl || (cd $DIR && wget http://security.debian.org/project/e...kd/dowkd.pl.gz && gunzip dowkd.pl.gz && chmod 755 dowkd.pl)

    chown myuserid $DIR

    perl $DIR/dowkd.pl file {/root,/home/*}/.ssh/{*.pub,authorized_keys} | sed s/^/`hostname`:/

    --
    Due to extreme spam originating from Google Groups, and their inattention
    to spammers, I and many others block all articles originating
    from Google Groups. If you want your postings to be seen by
    more readers you will need to find a different means of
    posting on Usenet.
    http://improve-usenet.org/

  15. Re: big debian and ubuntu security alert

    On 2008-05-14, Hadron wrote:
    > Mike McGinn writes:
    >
    >> Hadron wrote:
    >>
    >>> Ignoramus12901 writes:
    >>>
    >>>> On 2008-05-14, Moshe Goldfarb wrote:
    >>>>> On Wed, 14 May 2008 04:48:09 -0700, Tim Smith wrote:
    >>>>>
    >>>>>> I believe there are many Debian and Ubuntu users here. Important
    >>>>>> security alert:
    >>>>>>
    >>>>>>
    >>>>>>
    >>>>>> IMPORTANT NOTE: just installing the fixed software is not sufficient.
    >>>>>> You have to deal with any tainted keys that were generated in the last
    >>>>>> couple of years and are still in use.
    >>>>>>
    >>>>>> I changed my ssh keys a couple month ago...but I don't remember if I
    >>>>>> generated my new key on one of my Ubuntu systems or one of my Macs, so
    >>>>>> have no idea at this time if I have a problem here or not. :-(
    >>>>>
    >>>>> Interesting that Roy Schestowitz missed this one.
    >>>>> Not surprising though as he missed it when his own server
    >>>>> www.schestowitz.com was hacked and trojan infested.
    >>>>
    >>>> I am still waiting for a good picture of impact from this one. (ie can
    >>>> someone fully remote log on as an authorized user whose key is in
    >>>> authorized_keys)
    >>>>
    >>>> Looks quite bad. I spent 1.5 hours last night redoing my SSH trust
    >>>> network.
    >>>
    >>> It is a real PITA.
    >>>
    >>> What they should do is have it recreate everything for you. As it is,
    >>> it is a confusing mess with few people really realising the impact. So
    >>> much for "many eyes".

    >>
    >> I updated three machines this morning, and the keys changed on all of them.
    >> It was not that big a deal for me - I'm just glad the issue is
    >> resolved.

    >
    > Can you post a link to the process to follow? I have 4 debian machines
    > networked with ssh over the net. One pair using sshfs. Is it machine
    > specific keys too? Or only user keys for all users which can connect?


    All private keys may be affected. Host and user. As well as session
    keys, but that's history.

    You need to check them using that dowkd.pl I mentioned in my previous
    post.

    --
    Due to extreme spam originating from Google Groups, and their inattention
    to spammers, I and many others block all articles originating
    from Google Groups. If you want your postings to be seen by
    more readers you will need to find a different means of
    posting on Usenet.
    http://improve-usenet.org/

  16. Re: big debian and ubuntu security alert

    Ignoramus12901 writes:

    > On 2008-05-14, Hadron wrote:
    >> Ignoramus12901 writes:
    >>
    >>> On 2008-05-14, Moshe Goldfarb wrote:
    >>>> On Wed, 14 May 2008 04:48:09 -0700, Tim Smith wrote:
    >>>>
    >>>>> I believe there are many Debian and Ubuntu users here. Important
    >>>>> security alert:
    >>>>>
    >>>>>
    >>>>>
    >>>>> IMPORTANT NOTE: just installing the fixed software is not sufficient.
    >>>>> You have to deal with any tainted keys that were generated in the last
    >>>>> couple of years and are still in use.
    >>>>>
    >>>>> I changed my ssh keys a couple month ago...but I don't remember if I
    >>>>> generated my new key on one of my Ubuntu systems or one of my Macs, so
    >>>>> have no idea at this time if I have a problem here or not. :-(
    >>>>
    >>>> Interesting that Roy Schestowitz missed this one.
    >>>> Not surprising though as he missed it when his own server
    >>>> www.schestowitz.com was hacked and trojan infested.
    >>>
    >>> I am still waiting for a good picture of impact from this one. (ie can
    >>> someone fully remote log on as an authorized user whose key is in
    >>> authorized_keys)
    >>>
    >>> Looks quite bad. I spent 1.5 hours last night redoing my SSH trust
    >>> network.

    >>
    >> It is a real PITA.
    >>
    >> What they should do is have it recreate everything for you. As it is,
    >> it is a confusing mess with few people really realising the impact. So
    >> much for "many eyes".

    >
    > Recreate what?


    Dont certain apps generate their own keys too?

    I just did my ssh rsa keys for ssh'ing in without password but is that
    all?

  17. Re: big debian and ubuntu security alert


    "Hadron" wrote in message
    news:g0f3kr$pb5$3@registered.motzarella.org...
    > Mike McGinn writes:
    >
    >> Hadron wrote:
    >>
    >>> Ignoramus12901 writes:
    >>>
    >>>> On 2008-05-14, Moshe Goldfarb wrote:
    >>>>> On Wed, 14 May 2008 04:48:09 -0700, Tim Smith wrote:
    >>>>>
    >>>>>> I believe there are many Debian and Ubuntu users here. Important
    >>>>>> security alert:
    >>>>>>
    >>>>>>
    >>>>>>
    >>>>>> IMPORTANT NOTE: just installing the fixed software is not sufficient.
    >>>>>> You have to deal with any tainted keys that were generated in the
    >>>>>> last
    >>>>>> couple of years and are still in use.
    >>>>>>
    >>>>>> I changed my ssh keys a couple month ago...but I don't remember if I
    >>>>>> generated my new key on one of my Ubuntu systems or one of my Macs,
    >>>>>> so
    >>>>>> have no idea at this time if I have a problem here or not. :-(
    >>>>>
    >>>>> Interesting that Roy Schestowitz missed this one.
    >>>>> Not surprising though as he missed it when his own server
    >>>>> www.schestowitz.com was hacked and trojan infested.
    >>>>
    >>>> I am still waiting for a good picture of impact from this one. (ie can
    >>>> someone fully remote log on as an authorized user whose key is in
    >>>> authorized_keys)
    >>>>
    >>>> Looks quite bad. I spent 1.5 hours last night redoing my SSH trust
    >>>> network.
    >>>
    >>> It is a real PITA.
    >>>
    >>> What they should do is have it recreate everything for you. As it is,
    >>> it is a confusing mess with few people really realising the impact. So
    >>> much for "many eyes".

    >>
    >> I updated three machines this morning, and the keys changed on all of
    >> them.
    >> It was not that big a deal for me - I'm just glad the issue is
    >> resolved.

    >
    > Can you post a link to the process to follow? I have 4 debian machines
    > networked with ssh over the net. One pair using sshfs. Is it machine
    > specific keys too? Or only user keys for all users which can connect?


    Hmm, I thought you a**holes said linsux was impenetrable



  18. Re: big debian and ubuntu security alert

    Whoknew wrote:
    > "Hadron" wrote in message
    > news:g0f3kr$pb5$3@registered.motzarella.org...
    >
    >>Mike McGinn writes:
    >>
    >>
    >>>Hadron wrote:
    >>>
    >>>
    >>>>Ignoramus12901 writes:
    >>>>
    >>>>
    >>>>>On 2008-05-14, Moshe Goldfarb wrote:
    >>>>>
    >>>>>>On Wed, 14 May 2008 04:48:09 -0700, Tim Smith wrote:
    >>>>>>
    >>>>>>
    >>>>>>>I believe there are many Debian and Ubuntu users here. Important
    >>>>>>>security alert:
    >>>>>>>
    >>>>>>>
    >>>>>>>
    >>>>>>>IMPORTANT NOTE: just installing the fixed software is not sufficient.
    >>>>>>>You have to deal with any tainted keys that were generated in the
    >>>>>>>last
    >>>>>>>couple of years and are still in use.
    >>>>>>>
    >>>>>>>I changed my ssh keys a couple month ago...but I don't remember if I
    >>>>>>>generated my new key on one of my Ubuntu systems or one of my Macs,
    >>>>>>>so
    >>>>>>>have no idea at this time if I have a problem here or not. :-(
    >>>>>>
    >>>>>>Interesting that Roy Schestowitz missed this one.
    >>>>>>Not surprising though as he missed it when his own server
    >>>>>>www.schestowitz.com was hacked and trojan infested.
    >>>>>
    >>>>>I am still waiting for a good picture of impact from this one. (ie can
    >>>>>someone fully remote log on as an authorized user whose key is in
    >>>>>authorized_keys)
    >>>>>
    >>>>>Looks quite bad. I spent 1.5 hours last night redoing my SSH trust
    >>>>>network.
    >>>>
    >>>>It is a real PITA.
    >>>>
    >>>>What they should do is have it recreate everything for you. As it is,
    >>>>it is a confusing mess with few people really realising the impact. So
    >>>>much for "many eyes".
    >>>
    >>>I updated three machines this morning, and the keys changed on all of
    >>>them.
    >>>It was not that big a deal for me - I'm just glad the issue is
    >>>resolved.

    >>
    >>Can you post a link to the process to follow? I have 4 debian machines
    >>networked with ssh over the net. One pair using sshfs. Is it machine
    >>specific keys too? Or only user keys for all users which can connect?

    >
    >
    > Hmm, I thought you a**holes said linsux was impenetrable
    >
    >

    hehehe...yeah...now they're all screwed!...serves them right!...LOL!
    Frank

  19. Re: big debian and ubuntu security alert

    On 2008-05-14, Hadron wrote:
    > Ignoramus12901 writes:
    >
    >> On 2008-05-14, Hadron wrote:
    >>> Ignoramus12901 writes:
    >>>
    >>>> On 2008-05-14, Moshe Goldfarb wrote:
    >>>>> On Wed, 14 May 2008 04:48:09 -0700, Tim Smith wrote:
    >>>>>
    >>>>>> I believe there are many Debian and Ubuntu users here. Important
    >>>>>> security alert:
    >>>>>>
    >>>>>>
    >>>>>>
    >>>>>> IMPORTANT NOTE: just installing the fixed software is not sufficient.
    >>>>>> You have to deal with any tainted keys that were generated in the last
    >>>>>> couple of years and are still in use.
    >>>>>>
    >>>>>> I changed my ssh keys a couple month ago...but I don't remember if I
    >>>>>> generated my new key on one of my Ubuntu systems or one of my Macs, so
    >>>>>> have no idea at this time if I have a problem here or not. :-(
    >>>>>
    >>>>> Interesting that Roy Schestowitz missed this one.
    >>>>> Not surprising though as he missed it when his own server
    >>>>> www.schestowitz.com was hacked and trojan infested.
    >>>>
    >>>> I am still waiting for a good picture of impact from this one. (ie can
    >>>> someone fully remote log on as an authorized user whose key is in
    >>>> authorized_keys)
    >>>>
    >>>> Looks quite bad. I spent 1.5 hours last night redoing my SSH trust
    >>>> network.
    >>>
    >>> It is a real PITA.
    >>>
    >>> What they should do is have it recreate everything for you. As it is,
    >>> it is a confusing mess with few people really realising the impact. So
    >>> much for "many eyes".

    >>
    >> Recreate what?

    >
    > Dont certain apps generate their own keys too?
    >
    > I just did my ssh rsa keys for ssh'ing in without password but is that
    > all?


    That's about it, if your host keys were changed automatically.

    Still I would run the perl script, to check for anything that you
    might have missed.
    --
    Due to extreme spam originating from Google Groups, and their inattention
    to spammers, I and many others block all articles originating
    from Google Groups. If you want your postings to be seen by
    more readers you will need to find a different means of
    posting on Usenet.
    http://improve-usenet.org/

  20. Re: big debian and ubuntu security alert

    "Whoknew" writes:

    > "Hadron" wrote in message
    > news:g0f3kr$pb5$3@registered.motzarella.org...
    >> Mike McGinn writes:
    >>
    >>> Hadron wrote:
    >>>
    >>>> Ignoramus12901 writes:
    >>>>
    >>>>> On 2008-05-14, Moshe Goldfarb wrote:
    >>>>>> On Wed, 14 May 2008 04:48:09 -0700, Tim Smith wrote:
    >>>>>>
    >>>>>>> I believe there are many Debian and Ubuntu users here. Important
    >>>>>>> security alert:
    >>>>>>>
    >>>>>>>
    >>>>>>>
    >>>>>>> IMPORTANT NOTE: just installing the fixed software is not sufficient.
    >>>>>>> You have to deal with any tainted keys that were generated in the
    >>>>>>> last
    >>>>>>> couple of years and are still in use.
    >>>>>>>
    >>>>>>> I changed my ssh keys a couple month ago...but I don't remember if I
    >>>>>>> generated my new key on one of my Ubuntu systems or one of my Macs,
    >>>>>>> so
    >>>>>>> have no idea at this time if I have a problem here or not. :-(
    >>>>>>
    >>>>>> Interesting that Roy Schestowitz missed this one.
    >>>>>> Not surprising though as he missed it when his own server
    >>>>>> www.schestowitz.com was hacked and trojan infested.
    >>>>>
    >>>>> I am still waiting for a good picture of impact from this one. (ie can
    >>>>> someone fully remote log on as an authorized user whose key is in
    >>>>> authorized_keys)
    >>>>>
    >>>>> Looks quite bad. I spent 1.5 hours last night redoing my SSH trust
    >>>>> network.
    >>>>
    >>>> It is a real PITA.
    >>>>
    >>>> What they should do is have it recreate everything for you. As it is,
    >>>> it is a confusing mess with few people really realising the impact. So
    >>>> much for "many eyes".
    >>>
    >>> I updated three machines this morning, and the keys changed on all of
    >>> them.
    >>> It was not that big a deal for me - I'm just glad the issue is
    >>> resolved.

    >>
    >> Can you post a link to the process to follow? I have 4 debian machines
    >> networked with ssh over the net. One pair using sshfs. Is it machine
    >> specific keys too? Or only user keys for all users which can connect?

    >
    > Hmm, I thought you a**holes said linsux was impenetrable
    >
    >


    No. Only COLA "advocates" claim that. The rest of us who actually use
    Linux know different.

+ Reply to Thread
Page 1 of 3 1 2 3 LastLast