Non-working GNOME SSH keys



Read this if you have a GNOME (ssh) account and it isnʼt working and you
want to know why.

Due to Debian security issue weʼve locked down the machines for public
key authentication. See the announcement by Guilherme de S. Pastore to
devel-announce-list below. Please ensure youʼre subscribed to that list
(as we expect people to be)! Generally announcements are spread via
Planet GNOME as well, but that is more of an extra service.

Please contact accounts gnome org if you have either:
* Used a DSA key on a Debian/Ubuntu machine affected by the security
* issue
* Generated a DSA/RSA key on an affected Debian/Ubuntu machine

Note: If you have a DSA key generated on a non-Debianb/Ubuntu (e.g. Red
Hat) distribution (or whatever) and used it on a affected Debian/Ubuntu
machine (meaning: sshʼed from that machine, not to such a machine), you
are affected as well. So please replace your key in such cases as well.

Current plan: Weʼll (well, Owen) remove all blacklisted SSH keys that we
can find and inform affected people. This to avoid greatest security
issues. Not sure yet what weʼll do about the DSA keys (they could be
compromised now or in future whenever theyʼre used on an affected
Debian/Ubuntu machine).

Closing: Iʼm unfortunately way too busy to really help the sysadmins
working on this.. plus the accounts people replacing the SSH keys.
Thanks to everyone whoʼs helping.

On Wed, May 14, 2008 at 10:52:29PM -0500, Guilherme de S. Pastore wrote:
> As some of you have probably been made aware of somehow by now, the 
> Debian openssl package introduced an incorrect change in version 
> 0.9.8c-1, available since September 2007 and distributed with the 
> current stable release "etch", which resulted in the output of the 
> random number generator being predictable, as per CVE-2008-0166.
> 
> That directly affects openssh, and any key generated on Debian or 
> Debian-derived systems from then until the recent security updates (on 
> Debian, versions 0.9.8c-4etch3 or 0.9.8g-9) is deemed potentially 
> compromised.
> 
> It should be obvious from the start that we are exposed to risk by the 
> number of developers we have that use Debian or Ubuntu systems, and we
> have run individual tests to reach the conclusion that we do, indeed,
> have this kind of key installed on the GNOME servers. Hence, I regret to 
> inform that key authentication to GNOME machines has been disabled some 
> minutes ago for safety. We will be working into putting mechanisms into 
> place that allow for blacklisting upon authentication, so that the
> insecure keys are selectively disabled and we can resume normal operation
> as soon as possible.
> 
> It is worth noting, however, that, for all we currently know, not all 
> cases can be detected by the algorithms we have, which would make it 
> insufficient to just remove the keys we know to be broken or blacklist 
> them. Therefore, it is EXTREMELY important that, if you think your key 
> has been generated in a system affected by this bug at the time, you 
> have your system updated, regenerate your SSH keys and get them replaced 
> by mailing accounts gnome org 
> 
> The Infrastructure Team may see a need to go a bit further than I have 
> described in due course, but new announcements will be sent out if that
> is the case.
> 
> We are sorry for the inconvenience, and hope not to have to disturb 
> development for long or delay the next tarballs due date.
> 
> Yours,
> 
> --
> Guilherme de S. Pastore
> The GNOME Sysadmin Team
> _______________________________________________
> gnome-hackers mailing list
> gnome-hackers gnome org
> http://mail.gnome.org/mailman/listinfo/gnome-hackers

-- 
Regards,
Olav


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]