Evan Martin (evan) wrote in evan_tech,
Evan Martin
evan
evan_tech

what you need to do in response to the openssl fiasco

If you have used a Debian-based system to generate SSH keys in the past two years, your keys are likely no good. This document has instructions. In brief:

1) Delete your bad keys: .ssh/id_*. Fix all systems where you're trusting those keys (think .ssh/authorized_keys); someone has already published a table of all private keys, so it's just a matter of time before your system is brute-forced.

2) Update your systems. I see an "openssl-blacklist" package show up on both my Debian stable and my Ubuntu whateverletterthey'reon one. You'll get some debconf prompts about it clobbering stuff, including potentially your host keys, which means the next time you connect to the machine you'll get the "host keys have changed" message.

3) To make yourself feel less anxious, try running ssh-vulnkey to print an analysis of keys in standard paths on your system. (Run it as sudo ssh-vulnkey -a to check all users on your system.)
Subscribe

  • livejournal kids

    Neat image from Jack Dorsey. Every so often someone will ask me about Twitter and I'll dig up a a random day from Brad's LJ in 1999 and talk about…

  • ljrb release 0.3.1

    LiveJournal Ruby module update: This release won't die when the "useragent" property is present in an entry. I've also added support for passing…

  • ljrb 0.3.0

    ljrb 0.3.0: This release adds support for the "current_location" field and fetching friendofs in the same request as fetching friends. There's also…

  • Post a new comment

    Error

    default userpic
    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.
  • 6 comments