Re: Non-working GNOME SSH keys

From: Djihed Afifi <djihedlists googlemail com>
To: Olav Vitters <olav bkor dhs org>
Cc: gnome-i18n gnome org
Subject: Re: Non-working GNOME SSH keys
Date: Fri, 16 May 2008 10:41:39 +0100
Hi


I had my keys revoked and I replaced them  through accounts gnome org ,
but the new ones are still not working.

Is there anything I'm not aware of before contacting accounts again?


Djihed

في ج، 16-05-2008 عند 09:46 +0200 ، كتب Olav Vitters:
> Read this if you have a GNOME (ssh) account and it isn’t working and you
> want to know why.
> 
> Due to Debian security issue we’ve locked down the machines for public
> key authentication. See the announcement by Guilherme de S. Pastore to
> devel-announce-list below. Please ensure you’re subscribed to that list
> (as we expect people to be)! Generally announcements are spread via
> Planet GNOME as well, but that is more of an extra service.
> 
> Please contact accounts gnome org if you have either:
> * Used a DSA key on a Debian/Ubuntu machine affected by the security
> * issue
> * Generated a DSA/RSA key on an affected Debian/Ubuntu machine
> 
> Note: If you have a DSA key generated on a non-Debianb/Ubuntu (e.g. Red
> Hat) distribution (or whatever) and used it on a affected Debian/Ubuntu
> machine (meaning: ssh’ed from that machine, not to such a machine), you
> are affected as well. So please replace your key in such cases as well.
> 
> Current plan: We’ll (well, Owen) remove all blacklisted SSH keys that we
> can find and inform affected people. This to avoid greatest security
> issues. Not sure yet what we’ll do about the DSA keys (they could be
> compromised now or in future whenever they’re used on an affected
> Debian/Ubuntu machine).
> 
> Closing: I’m unfortunately way too busy to really help the sysadmins
> working on this.. plus the accounts people replacing the SSH keys.
> Thanks to everyone who’s helping.
> 
> On Wed, May 14, 2008 at 10:52:29PM -0500, Guilherme de S. Pastore wrote:
> > As some of you have probably been made aware of somehow by now, the 
> > Debian openssl package introduced an incorrect change in version 
> > 0.9.8c-1, available since September 2007 and distributed with the 
> > current stable release "etch", which resulted in the output of the 
> > random number generator being predictable, as per CVE-2008-0166.
> > 
> > That directly affects openssh, and any key generated on Debian or 
> > Debian-derived systems from then until the recent security updates (on 
> > Debian, versions 0.9.8c-4etch3 or 0.9.8g-9) is deemed potentially 
> > compromised.
> > 
> > It should be obvious from the start that we are exposed to risk by the 
> > number of developers we have that use Debian or Ubuntu systems, and we
> > have run individual tests to reach the conclusion that we do, indeed,
> > have this kind of key installed on the GNOME servers. Hence, I regret to 
> > inform that key authentication to GNOME machines has been disabled some 
> > minutes ago for safety. We will be working into putting mechanisms into 
> > place that allow for blacklisting upon authentication, so that the
> > insecure keys are selectively disabled and we can resume normal operation
> > as soon as possible.
> > 
> > It is worth noting, however, that, for all we currently know, not all 
> > cases can be detected by the algorithms we have, which would make it 
> > insufficient to just remove the keys we know to be broken or blacklist 
> > them. Therefore, it is EXTREMELY important that, if you think your key 
> > has been generated in a system affected by this bug at the time, you 
> > have your system updated, regenerate your SSH keys and get them replaced 
> > by mailing accounts gnome org 
> > 
> > The Infrastructure Team may see a need to go a bit further than I have 
> > described in due course, but new announcements will be sent out if that
> > is the case.
> > 
> > We are sorry for the inconvenience, and hope not to have to disturb 
> > development for long or delay the next tarballs due date.
> > 
> > Yours,
> > 
> > --
> > Guilherme de S. Pastore
> > The GNOME Sysadmin Team
> > _______________________________________________
> > gnome-hackers mailing list
> > gnome-hackers gnome org
> > http://mail.gnome.org/mailman/listinfo/gnome-hackers
> 
-- 
Have a project you would like to be translated to Arabic?
Let us know:
http://wiki.arabeyes.org/Translation_requests

Blog: http://djihed.com
Follow-Ups:
- Re: Non-working GNOME SSH keys
  - From: Olav Vitters
References:
- Non-working GNOME SSH keys
  - From: Olav Vitters
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]