SSH Vulnerability Patch instructions

Print version
Text Size: Change text to small (default) Change text to medium Change text to large
Related Links

» Debian DSA-1576-1 openssh

» Ubuntu USN-612-2: OpenSSH vulnerability

Description of Vulnerability


A weakness has been discovered in the random number generator used by OpenSSL on Debian 
and Ubuntu systems. As a result of this weakness, certain encryption keys are much more 
common than they should  be, such that an attacker could guess the key through a brute-force 
attack given minimal knowledge of the system. This particularly affects the use of encryption 
keys in OpenSSH.This vulnerability only affects operating systems which (like Ubuntu) are based 
on Debian. However, other systems can be indirectly affected if weak keys are imported into them. 
We consider this an  extremely serious vulnerability, and urge all users to act immediately to secure 
their systems.The following Ubuntu and Debian releases are affected:

  • Ubuntu 7.04
  • Ubuntu 7.10
  • Ubuntu 8.04 LTS
  • Debian Etch

Note: Other distributions which are based on Debian or Ubuntu may be affected as well (such as Kubuntu, 
Knoppix, etc). If your system is based on Debian (ie. uses the apt package system) you should upgrade 
your openssh-server packages.



How To Patch Your System Using Update-Manager


If you are running the standard Ubuntu or Debian Etch desktop (Gnome), you can simply run the update-manager. From the Gnome menu bar, select:

System->Administration->Update Manager

Follow the prompts and your system will be updated. Continue at step #8 below.



How to Patch Your System Using the Shell


Using Update-Manager is the simplest way to patch your system. These instructions will show you how to patch from the linux shell prompt. Some knowledge of Unix/Linux is required.

1) Open a shell (Applications->Accessories->Terminal).

2) Become the root user ("sudo -s" on an Ubuntu system will grant a root shell, or "su -" on Debian). 

3) You can determine if your system is one of those that are listed as explicitly vulnerable (note that this isn't a conclusive test, your system may still be vulnerable if it is based on one of the affected distributions). On Ubuntu examine /etc/lsb-release and compare the release number to the list above. The other method is to look through /etc/apt/sources.list. Each repository line will list the release name (ie. Sarge, Etch, Gutsy, etc). If unsure, update your system!

4) This command will retrieve the most recent list of updates from the package repositories:
apt-get update
5) This command will tell you if you have the ssh client or server package installed. If this command returns nothing then you do not have ssh installed and you are done.
dpkg -l |grep ssh
6) Update the packages. This will somewhat depend on the output from the above command. Only run these commands for the packages you have installed (ie. if the above command only returned openssh-client, then do not install the server package). It should be something like the following:
apt-get install openssh-server
apt-get install openssh-client
7) Create new host keys:
/usr/bin/ssh-keygen -t rsa1 -b 1024 -f /etc/ssh/ssh_host_key -N ''
/usr/bin/ssh-keygen -d -f /etc/ssh/ssh_host_dsa_key -N ''
/usr/bin/ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N ''
8) Check for vulnerable user keys:
/usr/bin/ssh-vulnkey -a
If the above command finds a vulnerable key it will print "COMPROMISED". If that's the case, you must delete the user keys and generate new ones. That can be accomplished by running the ssh-keygen command from the user account that contains the bad keys, like so:
/usr/bin/ssh-keygen
You must run this from the account with the compromised key, not as root (unless it's the root account that has the compromised key).
9) Reboot your system. Rebooting will ensure that your system is using the correct keys.
10) Update the known_hosts and authorized_keys files. The regeneration of host keys will cause a warning to be displayed when connecting to the system using SSH until the host key is updated in the known_hosts file. The warning will look like this:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!           @
@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!      @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Someone could be eavesdropping on you right now (man-in-the-middle attack)! 
It is also possible that the RSA host key has just been changed.

In this case, the host key has simply been changed, and you should update the relevant known_hosts file as indicated in the error message.



 

WHOI logo

Last updated May 15, 2008
© Woods Hole Oceanographic Institution. All rights reserved