Daviey

EDIT: As per https://lists.ubuntu.com/archives/ubuntu-security-announce/2008-May/000706.html , upgrading the package will test the sshd key, amongst other things.

It would appear that the openssl algorithm used to generate the ssh or ssl keys for Ubuntu and Debian isn’t as random as required to be secure, and is therefore vulnerable to brute force attack.

As outlined: http://www.ubuntu.com/usn/usn-612-1

Thankfully Debian security team have written a pretty nifty perl script to help find if your keys are weak!

So ensure you have upgraded to the latest libssl0.9.8 package (as outlined in the USN) then:

To test the public key fingerprint on a server, do the following:

$ wget http://security.debian.org/project/extra/dowkd/dowkd.pl.gz
$ gunzip dowkd.pl.gz
$ chmod +x dowkd.pl
$ ./dowkd.pl file /etc/ssh/ssh_host_{dsa,rsa}_key.pub 2>/dev/null

This will tell you if the public key is weak.  If it is, you should move/remove the key pair, then generate a new pair with:

$ sudo dpkg-reconfigure -plow openssh-server

Authorized keys, that can login using key based authentication.

$ ./dowkd.pl file ~/.ssh/authorized_keys 2>/dev/null

This will return any weak keys that are authorized to login using key based authentication, these entries should be removed and a new one generated and added to the file.

To see if your own user key(s) is vulnerable:

$ ./dowkd.pl file ~/.ssh/id_{rsa,dsa}.pub 2>/dev/null

If it is, you should remove the key - and create a new one using “ssh-keygen”,  and redistribute the public key (including to Launchpad)

NOTE: you should test all user keys on the system.  Might be worth saving any weak key’s, incase you do get locked out of a system.

Please pass this on to anyone using SSH.

EDIT: As per https://lists.ubuntu.com/archives/ubuntu-security-announce/2008-May/000706.html , upgrading the package will test the sshd key, amongst other things.