redelijkheid.com

It seems that public key authentication isn’t as save as you might have thought. That is if you’re using a Debian based OpenSSH solution. This package can be found in many Linux distributions like;

• Debian (duh )
• Ubuntu
• Kubuntu
• etc.

The problem is that the random number generator (which is of vital importance in generating key-pairs) isn’t as random as you might think. It seems that there are only about 30.000 combinations in this specific generator. This leaves the door wide open for brute-force attacks.

So, the first you must do is update your OpenSSH software, and generate new keypairs for all devices / users which might have keys which were generated with the vulnerable OpenSSH software. Softwarepackages depending on OpenSSH are;

• OpenVPN
• DNSSEC
• OpenSSH
• Certificates used in TLS connections
• etc.

More info on the subject can be found here [1, 2, 3].

Tags: Debian, OpenSSH, PKI, vulnerability

This entry was posted on May 20th, 2008 @ 9:53 am by Willem and is filed under Linux, News, Security, Software. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.