Linux gets security black eye

Keywords: Match:

May 16, 2008

As has been widely reported, the maintainers of Debian's OpenSSL packages made some errors recently that have potentially compromised the security of any sshd-equipped system used remotely by Debian users. System administrators may wish to purge authorized_key files of public keys generated since 2006 by affected client machines.

Simply using a Debian-based machine to access a remote server via SSH would not be enough to put the machine at risk. However, if the user copied a public key generated on a Debian-based system to the remote server, for example to take advantage of the higher security offered by password-free logins, then the weak key could make the server susceptible to brute-force attacks, especially if the user's name is easily guessable.

Administrators of servers that run SSH may wish to go through users' authorized key files (typically ~/.ssh/authorized_keys), deleting any that may have been affected. A "detector" script, available here, appears to compare public key signatures against a list of just 262,800 entries. That in turn suggests that if the user's name is known, a brute force attack progressing at one guess per second could succeed within 73 hours (262,800 seconds).

A full explanation of the problem can be found here. In a nutshell, Debian's OpenSSL maintainers made some Debian-specific patches that, according to subscriber-only content at LWN.net, were aimed at fixing a memory mapping error that surfaced during testing with the valgrind utility. The unintended consequence was a crippling of the randomness of keys, making them predictable, and thus possible to guess using "brute-force" attacks. And unfortunately, the Debian maintainers failed to submit their patches upstream, and thus the problem did not surface until very recently (there's certainly a lesson to be learned, there). Not surprisingly, brute force attacks are way up this week, LWN.net also reported.

Users of Debian and Debian-based distributions such as Ubuntu should immediately upgrade the SSH software on their systems. The new ssh-client package will contain an "ssh-vulnkey" utility that, when run, checks the user's keys for the problem. Users should re-generate any affected keys as soon as possible.

Also possibly affected are "OpenVPN keys, DNSSEC keys, and key material for use in X.509 certificates and session keys used in SSL/TLS connections," though not apparently Keys generated with GnuPG or GNUTLS. More details can be found here (Debian resource page), as well as on this webpage, which also links to lists of common keys and brute-force scripts that boast of 20-minute typical break-in times.

-- Henry Kingman

Do you have comments on this story?

Talkback here
NOTE: Please post your comments regarding our articles using the above link. Be sure to use this article's title as the "Subject" in your posts. Before you create a new thread, please check to see if a discussion thread is already running on the article you plan to comment on. Thanks!

Related Stories:

(Click here for further information)

Approaching the Linux Desktop
The purpose of this paper is to help organizations evaluate the Linux desktop against their own enterprise needs and discover what benefits the Linux desktop might bring to their organizations.

Migrating To Linux: Application Challenges and Solutions
Several solutions exist to help organizations migrate in an orderly fashion from Windows to Linux desktops. This paper establishes the characteristics of an ideal cross-platform solution and reviews these alternatives in light of this ideal standard. The paper takes a closer look at the pros and cons of various solutions and outlines the business benefits that can be achieved.

Linux Advantages: Publicly Available Information on Linux Software
This paper offers a brief summary of readily-available Linux information to help businesses sort out this widely misunderstood operating system.

Top 5 Strategies for Managing Linux
Despite continuous evolution in the manageability of Linux, a 2006 survey cited manageability concerns as a top reason why organizations are hesitating to adopt Linux. Levanta believes Linux can be as manageable, if not more so, than other operating systems by following key strategies. These strategic recommendations were developed from experiences in numerous customer environments, both large and small.

Why Choose Novell for Linux?
This paper outlines the benefits of switching to the Linux platform and choosing Novell as a high-performance, enterprise solution.

Enterprise Linux Selection Guide
Considering moving your enterprise to the Linux operating system? Since there are so many similar versions, choosing the right one can be tough. This paper offers a clear process to help you make an informed decision and get the features, support, and cost that are right for your business and technical needs.

Overcoming Challenges in Managing Linux
Levanta has created a new administration model with innovative technology that breaks down the barriers to making the most of Linux systems. This paper will provide an in-depth look at the workings of Levanta’s product, the first Linux appliance of its kind.

SUSE Linux Enterprise 10 for Retail Businesses
Discover why major retailers have switched to SUSE Linux Enterprise Desktop in the back office. SUSE Linux Enterprise Desktop 10 is a low-cost desktop that offers a complete set of productivity applications and interoperates seamlessly with the other Windows, Macintosh and UNIX desktops in your store.

Moving to a Linux Desktop
Migrating from Windows to Linux on the desktop can be a substantial undertaking because it has the potential for touching -- and perhaps disrupting -- every user in your organization. Unlike a data center (server and infrastructure) migration that is largely transparent to users, the cultural and administrative transitions and environment readiness required to support a Linux desktop migration are extensive.

Seven Good Reasons to Exchange Exchange
This paper describes seven compelling reasons why you should switch from Exchange to Scalix.

Got a HOT tip? please tell us!

ADVERTISEMENT
(Advertise here)

Resource Library

• Unix, Linux Uptime and Reliability Increase: Patch Management Woes Plague Windows Yankee Group survey finds IBM AIX Unix is highest in ...
• Scalable, Fault-Tolerant NAS for Oracle - The Next Generation For several years NAS has been evolving as a storage ...
• Managing Software Intellectual Property in an Open Source World This whitepaper draws on the experiences of the Black Duck ...
• Open Source Security Myths Dispelled Is it risky to trust mission-critical infrastructure to open source ...
• Bringing IT Operations Management to Open Source & Beyond Download this IDC analyst report to learn how open source ...

Popular recent stories: • Linux an equal Flash player • Linux, netbooks threaten Microsoft's fat profits • gOS 3.0 goes gold • Browser swallows OS • Lenovo denies ditching Linux • Lightweight, Linux-compatible browser evolves • GNOME 2.24 gains "Empathy" IM • Review: Pardus Linux • Ubuntu to fund Linux development • Ubuntu "Intrepid Ibex" available All-time Classics: • Choosing a desktop Linux distro • Banshee -- the next best thing to Linux iTunes • Running World of Warcraft on Ubuntu • A simple Linux backup method • The Best Free Desktop Linux . . . and how to make it better • Linux-powered Asus Eee PC mini-laptop arrives • The well-tempered Debian desktop • Lenovo launches a netbook • What's the best Linux for beginners? • Getting to know Puppy Linux • Xandros 4: The best desktop Linux for Windows users • VirtualBox: The best virtualization program you've never heard of Linux-Watch headlines: • Debian plans draw sharp warning from GNU guru • OpenSource World announces keynote speakers • Linux 2.6.30 gets new filesystems • Intel to buy Wind River for $884 million • Apple sued for squelching wiki chat • Microsoft's TomTom patents posted for patent review • Europe tops global open source survey • Oracle buys Sun -- may jettison MySQL • Sun virtualization technology adds VM exports • Is Linux ready to go to FAT camp? Join our Desktop Linux discussion forums: • Moving to Linux • Linux/Windows debate! • Linux Q&A . . . and more	Visit the...

BREAKING NEWS

• Can FAT patch avoid Microsoft lawsuits?
• Debian plans draw sharp warning from GNU guru
• LiveUSB version of OLPC software targets netbooks
• Virtualization software goes multi-processor
• Open source show gears up with 200 sessions
• Office suite released in netbook version
• Scalix gains mobile device synchronization
• OpenSource World announces keynote speakers
• Ubuntu added to online preview site
• Linux 2.6.30 gets new filesystems
• Fedora 11 ships with new community portal
• More Linux distros tap Moblin for netbooks
• Media playback technology targets Linux netbooks
• Virtual Linux desktops tapped by UN
• Linux on tap in netbook, nettop

Linux Netbooks

Linux smartphones!

news feed

Or, follow us on Twitter...

Home \| News \| Articles \| Forum \| Polls \| About \| Contact

	Ziff Davis Enterprise Home \| Contact Us \| Advertise \| Link to Us \| Reprints \| Magazine Subscriptions \| Newsletters Tech RSS Feeds \| White Papers \| ROI Calculators \| Tech Podcasts \| Tech Video \| VARs \| Channel News
	Baseline \| Careers \| Channel Insider \| CIO Insight \| DesktopLinux \| DeviceForge \| DevSource \| eSeminars \| eWEEK \| Enterprise Network Security \| LinuxDevices \| Linux Watch \| Microsoft Watch \| Mid-market \| Networking \| PDF Zone \| Publish \| Security IT Hub \| Strategic Partner \| Web Buyer's Guide \| Windows for Devices
	Developer Shed \| Dev Shed \| ASP Free \| Dev Articles \| Dev Hardware \| SEO Chat \| Tutorialized \| Scripts \| Code Walkers \| Web Hosters \| Dev Mechanic \| Dev Archives \| igrep
Use of this site is governed by our Terms of Service and Privacy Policy. Except where otherwise specified, the contents of this site are copyright © 1999-2009 Ziff Davis Enterprise Holdings Inc. All Rights Reserved. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis Enterprise is prohibited. Linux is a registered trademark of Linus Torvalds. All other marks are the property of their respective owners.

Home \| News \| Articles \| Forum \| Polls \| About \| Contact

	Ziff Davis Enterprise Home \| Contact Us \| Advertise \| Link to Us \| Reprints \| Magazine Subscriptions \| Newsletters Tech RSS Feeds \| White Papers \| ROI Calculators \| Tech Podcasts \| Tech Video \| VARs \| Channel News
	Baseline \| Careers \| Channel Insider \| CIO Insight \| DesktopLinux \| DeviceForge \| DevSource \| eSeminars \| eWEEK \| Enterprise Network Security \| LinuxDevices \| Linux Watch \| Microsoft Watch \| Mid-market \| Networking \| PDF Zone \| Publish \| Security IT Hub \| Strategic Partner \| Web Buyer's Guide \| Windows for Devices
	Developer Shed \| Dev Shed \| ASP Free \| Dev Articles \| Dev Hardware \| SEO Chat \| Tutorialized \| Scripts \| Code Walkers \| Web Hosters \| Dev Mechanic \| Dev Archives \| igrep
Use of this site is governed by our Terms of Service and Privacy Policy. Except where otherwise specified, the contents of this site are copyright © 1999-2009 Ziff Davis Enterprise Holdings Inc. All Rights Reserved. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis Enterprise is prohibited. Linux is a registered trademark of Linus Torvalds. All other marks are the property of their respective owners.