Posted on | May 15, 2008 | Comments Off
I spent the better part of 3 1/2 hours this morning losing my keys. Not my car keys, not my house keys, my public SSH keys. All keys that I have in use were generated on a Debian or Ubuntu GNU/Linux computer. Luckily I’m pretty diligent about keeping a list of what key is where (and what its for), I was able to login to every system and remove my key.
There is a bit of hype and FUD going around regarding this vulnerability. The issue is not in OpenSSH itself, its an issue with the Debian specific ssh-keygen program. This is a user propagated issue, overly-simplified below:
- Debian/Ubuntu user generates a ssh key pair
- Debian/Ubuntu user installs the public key on remote machines
- Remote machines are now vulnerable, as the key is easy to guess.
As my key was installed to numerous /root/ssh/authorized_keys2 files, this means that ‘getting root’ on those systems would be extremely easy for a cracker. Likewise, keys letting you in to an underprivileged account with sudo rights would be just as dangerous.
Even keys that get you into your web hosting account could allow a cracker to easily log in and dump your databases which (might) contain sensitive information about your users.
If you are a Debian / Ubuntu / (or any Debian derivative user), get rid of all of your keys and ensure that they are generated on a system that does not have the predictable random number issue. If you are a system administrator, get rid of any key in authorized_hosts (on any account) unless you are absolutely sure that the key was generated on an unaffected machine.
This experience caused me to do some thinking. It took me over 3 hours to make sure weak keys were removed from every computer that accepted them. What would happen if my private keys and pass phrases were compromised? There is just no single efficient way of revoking a key if its used across multiple domains and organizations. Sure, ssh can be taught to reject known weak keys .. but not compromised ones Even strong pass phrases are hard to keep track of, anyone will eventually make a cheat sheet with them which is a smorgasboard for a cracker.
I never thought that I would ever have to replace every key, so I never gave much thought to how much time it would take. If someone snagged my private keys and pass phrase, they could do damage much faster than I could revoke those keys.
Something to think about.