Archive for May, 2008

Published May 14th, 2008 by admin

How to Patch Ubuntu for openSSL and openSSH Vulnerability

I’m sure you have heard by now that there is a reported vulnerability in openSSL and openSSH. This only affects Debian and its variants for now (ie:Ubuntu).

This is a pretty serious issue so it should be patched ASAP.

Follow the instructions below to guard your Debian and Ubuntu machines from the vulnerability.

Run the following to find out if you are affected:

wget -c
chmod u+x
./ user
./ host hostname

If either the 2nd to last or the last command issued above shows something similar to the following:

.ssh/ weak key

…then you are affected by the vulnerability. If you do not see “weak key” reported then you are OK.

Otherwise follow below:

Apply any updates by entering the following at a command line:

sudo apt-get update
sudo apt-get upgrade
sudo apt-get dist-upgrade

You should see an update for openssl and openssh packages (along with anything else available).

After these new packages have been installed you will want to regenerate any keys that you’ve generated (ie; openssh keys, CA cert, etc).

To generate a new openssh key for your user: (This only required if ‘./ user‘ reports weak)

ssh-keygen -t dsa -b 1024

To generate a new openssh key for your server: (This only required if ./ host hostname reports weak)

sudo rm /etc/ssh/ssh_host_{dsa,rsa}_key*
sudo dpkg-reconfigure -plow openssh-server

You should now run the validation script again and make sure it does not report any errors. If you still see reported warnings such as:

.ssh/authorized_hosts:1: weak key

…this means that you have keys saved that are still affected, in this case in the authorized_host file. The easiest way to solve this is issue the following:

rm .ssh/authorized_hosts

This will remove the file, which will be recreated the next time it is needed or you can delete the line in the affected file using your favorite text editor. The line is indicated by the ending “:1” which maps to the affected line number.

Continue to run the ./ script until no weaknesses are reported.