SW Designs

Technology and Photography

Predictable Random Number Generater in Debain’s OpenSSL Package

Since the Debian security advisory was published there has been plenty of discussion about who is to blame and how such a bug has gone unnoticed since September 2006. While they are important discussions that need to be had, I’ll focus on how to protect your Debian based PCs, laptops, servers, etc. First thing’s first, upgrade OpenSSH and the relevant packages.

1
2
$ sudo apt-get update
$ sudo apt-get upgrade

Where you have OpenSSH installed, the host keys must be regenerated.

1
2
3
4
$ sudo rm /etc/ssh/ssh_host_*
$ sudo dpkg-reconfigure openssh-server
Creating SSH2 RSA key; this may take some time ...
Creating SSH2 DSA key; this may take some time ...

Restarting OpenBSD Secure Shell server: sshd. SSHing onto the server will display a warning because the client’s host key in the known_hosts file does match what the server presents. Just delete the referenced line from known_hosts.

1
2
3
4
5
6
7
$ ssh server
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.

If you use public key authentication you’ll need to regenerate those keys, remembering to remove the old entry from authorized_keys on the server. The same goes for SSL certs used by web servers.

Comments