Forum: OpenSSL package bug that compromise SSH keys
Posted by: Sebastien Varrette Content: A recent vulnerability of the OpenSSL debian package [2] that affect all cryptographic key material generated with the help of OpenSSL have been discovered recently [1].It is normally a debian-specific vulnerability (ubuntu is also concerned [3]). Affected keys include SSH keys, OpenVPN keys, DNSSEC keys, and key material for use in X.509 certificates and session keys used in SSL/TLS connections. Keys generated with GnuPG or GNUTLS are not affected, though. In all case, if you are running a debian or ubuntu machine, you should definitively update the openssl package and regenerate your SSH keys together with the SSH keys of the host. This have been done on the gforge machine and that's why you may encounter an error message mentionning "WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!" when you're now trying to connect by SSH or SVN+SSH to the gforge. The solution in that case is to remove the entry of gforge.uni.lu in your file $HOME/.ssh/known_hosts. Think also to edit your SSH key on the gforge web site under "My Page/Account Maintenance". [1] : http://lists.debian.org/debian-security-announce/2008/msg00152.html [2] : http://www.us.debian.org/security/2008/dsa-1571 [3] : http://www.ubuntu.com/usn/usn-612-1 | Latest News
|
Monitor Forum | 
Start New Thread
