Tux

...making Linux just a little more fun!

Recent Debian SSH vulnerability

Ben Okopnik [ben at linuxgazette.net]


Fri, 16 May 2008 20:27:48 -0400

Yeah, it's all the news now, so I figured I'd kick in my bit. :)

As those of you on staff are aware, we use SSH keyauth for our staff accounts. I've been running some checks for weak keys (for any of you that want to check your own, http://security.debian.org/project/extra/dowkd/dowkd.pl.gz is a detector), and - whoops! We had a few in the list. Gone now, of course. (Amit, please revise your keys and send them to me. :)

We now return you to your scheduled programming.

-- 
* Ben Okopnik * Editor-in-Chief, Linux Gazette * http://LinuxGazette.NET *


Top    Back


René Pfeiffer [lynx at luchs.at]


Sat, 17 May 2008 15:23:26 +0200

On May 16, 2008 at 2027 -0400, Ben Okopnik appeared and said:

> Yeah, it's all the news now, so I figured I'd kick in my bit. :)

Bring it on. :)

> As those of you on staff are aware, we use SSH keyauth for our staff
> accounts. I've been running some checks for weak keys (for any of you
> that want to check your own,
> http://security.debian.org/project/extra/dowkd/dowkd.pl.gz is a
> detector), and - whoops! We had a few in the list. Gone now, of course.
> (Amit, please revise your keys and send them to me. :)

I will change all my keys, regardless of what the checking tools says. Keys should be changed periodically anyway and since I need to replace some I can also replace them all.

> We now return you to your scheduled programming.

Which is, for me, the last day of the Linux days in Vienna! :) The Linux days/weeks are annual conferences all over Austria with lots of talks, discussions, and coffee (due to the OpenSSL thing ;).

Best, René.


Top    Back


Ben Okopnik [ben at linuxgazette.net]


Sat, 17 May 2008 10:27:12 -0400

On Sat, May 17, 2008 at 03:23:26PM +0200, René Pfeiffer wrote:

> On May 16, 2008 at 2027 -0400, Ben Okopnik appeared and said:
> > Yeah, it's all the news now, so I figured I'd kick in my bit. :)
> 
> Bring it on. :)
> 
> > As those of you on staff are aware, we use SSH keyauth for our staff
> > accounts. I've been running some checks for weak keys (for any of you
> > that want to check your own,
> > http://security.debian.org/project/extra/dowkd/dowkd.pl.gz is a
> > detector), and - whoops! We had a few in the list. Gone now, of course.
> > (Amit, please revise your keys and send them to me. :)
> 
> I will change all my keys, regardless of what the checking tools says.

Hopefully, you've updated to the non-broken version before regenerating them...

> Keys should be changed periodically anyway and since I need to replace
> some I can also replace them all.
> 
> > We now return you to your scheduled programming.
> 
> Which is, for me, the last day of the Linux days in Vienna! :) The Linux
> days/weeks are annual conferences all over Austria with lots of talks,
> discussions and coffee (due to the OpenSSL thing ;).

I could see how the OpenSSL thing could result in increased coffee consumption, yes. :) On the other hand, in Vienna, anything is a good reason for another coffee (with good reason; I still have fond memories of it..).

-- 
* Ben Okopnik * Editor-in-Chief, Linux Gazette * http://LinuxGazette.NET *


Top    Back


René Pfeiffer [lynx at luchs.at]


Sat, 17 May 2008 16:36:46 +0200

On May 17, 2008 at 1027 -0400, Ben Okopnik appeared and said:

> On Sat, May 17, 2008 at 03:23:26PM +0200, René Pfeiffer wrote:
> > On May 16, 2008 at 2027 -0400, Ben Okopnik appeared and said:
> > > Yeah, it's all the news now, so I figured I'd kick in my bit. :)
> >
> > Bring it on. :)
> >
> > > As those of you on staff are aware, we use SSH keyauth for our staff
> > > accounts. I've been running some checks for weak keys (for any of you
> > > that want to check your own,
> > > http://security.debian.org/project/extra/dowkd/dowkd.pl.gz is a
> > > detector), and - whoops! We had a few in the list. Gone now, of course.
> > > (Amit, please revise your keys and send them to me. :)
> >
> > I will change all my keys, regardless of what the checking tools says.
>
> Hopefully, you've updated to the non-broken version before regenerating
> them...

Yes, I did that (and triple checked it). So anything can happen. ;)

> > > We now return you to your scheduled programming.
> >
> > Which is, for me, the last day of the Linux days in Vienna! :) The Linux
> > days/weeks are annual conferences all over Austria with lots of talks,
> > discussions and coffee (due to the OpenSSL thing ;).
>
> I could see how the OpenSSL thing could result in increased coffee
> consumption, yes. :)

Especially if during all this mess the office OpenVPN server disappears and a hurried check at the console reveils that only the core switch failed and thus effectively prevented all brute force attacks. :) Failing switches can be a big benefit provided they fail at the correct moment.

> On the other hand, in Vienna, anything is a good
> reason for another coffee (with good reason; I still have fond memories
> of it..).

Indeed. I already met a director of a local company who has coffee for the employees in the yearly budget plan. Some even include that in the disaster recovery plan. Very smart.

Best, René.


Top    Back


Rick Moen [rick at linuxmafia.com]


Sat, 17 May 2008 10:36:16 -0700

Quoting Ben Okopnik ([email protected]):

> I could see how the OpenSSL thing could result in increased coffee
> consumption, yes. :) On the other hand, in Vienna, anything is a
> good reason for another coffee (with good reason; I still have fond
> memories of it...).

I'm sure being absolutely wide-awake at the time helped.

There's been a great deal of traffic about various weak-key detection scripts, which I haven't followed fully, but I know that at least one of them is due to be backfilled with weak-key sets from 64-bit OpenSSL and big-endian versions. So, checking for revisions might be worthwhile.


Top    Back


Rick Moen [rick at linuxmafia.com]


Mon, 19 May 2008 17:13:43 -0700

I wrote (about one of the weak-key-checking scripts):

> There's been a great deal of traffic about various weak-key detection
> scripts, which I haven't followed fully, but I know that at least one of
> them is due to be backfilled with weak-key sets from 64-bit OpenSSL and
> big-endian versions.  

...and also versions for longer-than-usual key lengths. (Imagine the irony of an easily brute-forced key escaping detection because its key length was greater than the checking script's author anticipated.)


Top    Back


Neil Youngman [Neil.Youngman at youngman.org.uk]


Sat, 17 May 2008 14:51:10 +0100

On Saturday 17 May 2008 01:27, Ben Okopnik wrote:

> Yeah, it's all the news now, so I figured I'd kick in my bit. :)

For anyone that missed it kscd's take is at http://xkcd.com/424/

Neil


Top    Back


Ben Okopnik [ben at linuxgazette.net]


Sat, 17 May 2008 10:22:10 -0400

On Sat, May 17, 2008 at 02:51:10PM +0100, Neil Youngman wrote:

> On Saturday 17 May 2008 01:27, Ben Okopnik wrote:
> > Yeah, it's all the news now, so I figured I'd kick in my bit. :)
> 
> For anyone that missed it kscd's take is at http://xkcd.com/424/

That's already planned for the upcoming issue. :)

-- 
* Ben Okopnik * Editor-in-Chief, Linux Gazette * http://LinuxGazette.NET *


Top    Back


Kat Tanaka Okopnik [kat at linuxgazette.net]


Sat, 17 May 2008 08:52:20 -0700

On Sat, May 17, 2008 at 02:51:10PM +0100, Neil Youngman wrote:

> On Saturday 17 May 2008 01:27, Ben Okopnik wrote:
> > Yeah, it's all the news now, so I figured I'd kick in my bit. :)
> 
> For anyone that missed it kscd's take is at http://xkcd.com/424/

That's actually how I found out about it in the first place.

I hurt from laughing that hard.

-- 
Kat Tanaka Okopnik
Linux Gazette Mailbag Editor
[email protected]


Top    Back


René Pfeiffer [lynx at luchs.at]


Sat, 17 May 2008 16:41:29 +0200

On May 16, 2008 at 2027 -0400, Ben Okopnik appeared and said:

> Yeah, it's all the news now, so I figured I'd kick in my bit. :)

What I forgot to mention, here's an interesting blog posting of one of the OpenSSL developers. Make sure you read the comments, too.

http://www.links.org/?p=3D327

Best, René.


Top    Back


Rick Moen [rick at linuxmafia.com]


Mon, 19 May 2008 12:05:54 -0700

Quoting René Pfeiffer ([email protected]):

> On May 16, 2008 at 2027 -0400, Ben Okopnik appeared and said:
> > Yeah, it's all the news now, so I figured I'd kick in my bit. :)
> 
> What I forgot to mention, here's an interesting blog posting of one of
> the OpenSSL developers. Make sure you read the comments, too.
> 
> http://www.links.org/?p=327

Yes, that's quite a blame-game parade, isn't it? One of the background facts that tends to get lost in even the best coverage of this matter is that OpenSSL itself remains hopeless spaghetti code. This isn't the fault of current OpenSSL maintainers like Ben Laurie (whose blog you linked to): It was mostly original coder Eric A. Young[1] and the fact that it was done in early days, when we still had many important, security-sensitive codebases from academic computing that -- well -- were inspiring and useful first efforts from talented people, but were badly designed for long-term use and really needed to be thrown out and rewritten properly: BIND8, sendmail, lpr.

The job of maintaining OpenSSL, like that of maintaining the other named codebases, has been a heroic but thankless task of plugging endless holes, and was an accident waiting to happen. So, it happened. Mr. Laurie's opinion notwithstanding, given decent communication, vendor maintenance should be a major asset to his team, especially needed as disasterously buggy OpenSSL releases have been emerging from upstream for many years. (Note that not only did many of the historical worms aimed at Linux systems include attacks against vulnerable OpenSSL version; I think -most- of them did.)

As pointed out in the blog comments, deliberately using initialised memory is clever but misleading; a proper comment code clarifying that the practice is intentional would have done a world of good. This point was also raised by Jon Corbet in LWN.net: http://lwn.net/Articles/282038/ (subscriber-only until this Thursday)

[1] OpenSSL's original name was "SSLeay", incorporating Young's initials. My guess is that he was then a talented and energetic young cryptographer. The codebase was a major feather in his cap and worthy of respect. At the same time, it really has always begged to be junked and done over. Maybe the current fiasco will inspire closer consideration of GNUTLS as an alternative -- or hasten the day OpenSSL's developers make the hard choice of doing a ground-up rewrite, as Paul Vixie did with BIND9.


Top    Back


Ben Okopnik [ben at linuxgazette.net]


Mon, 19 May 2008 15:46:13 -0400

On Mon, May 19, 2008 at 12:05:54PM -0700, Rick Moen wrote:

> Quoting René Pfeiffer ([email protected]):
> 
> > What I forgot to mention, here's an interesting blog posting of one of
> > the OpenSSL developers. Make sure you read the comments, too.
> > 
> > http://www.links.org/?p=327
> 
> Yes, that's quite a blame-game parade, isn't it?

Yeah, it's a big {b,f,}lamefest. Damn silly - I wince every time I see this happen in the FOSS community - but (I'm coming to believe) inevitable, or nearly so. Perhaps it's because a lot of what happens in the community is based on an intangible - reputation - and because many people have a skewed view of what 'reputation' really means. For me, "I write flawless software" is a groundless boast that's just ripe for a knockdown - whereas "I'm highly responsive to reported bugs, and fix them ASAP" is a hell of a reputation enhancer. But that's just me.

> Maybe the current fiasco will inspire closer consideration of GNUTLS as
> an alternative -- or hasten the day OpenSSL's developers make the hard
> choice of doing a ground-up rewrite, as Paul Vixie did with BIND9.

There seems to be an interesting dynamic in this arena, somewhat parallel to Larry Wall's take on programmer laziness: a sufficient amount of anger and frustration to just throw out the old piece of crap and write the Perfect New Thing (which will eventually become an old piece of crap; lather, rinse, repeat...) But to get there, you need to have people wrestling with the old piece of crap for a sufficient amount of time to gain a perfect understanding of just exactly how wretched it is - or, more precisely, to learn the lessons that will let them learn how to write the Perfect New Thing.

A lot of people tend to see this process as some sort of a gigantic struggle for reputation and fame and fortune, with /sturm und drang/ at every turn and enemies at every gate. I just call it "learning". :)

-- 
* Ben Okopnik * Editor-in-Chief, Linux Gazette * http://LinuxGazette.NET *


Top    Back


René Pfeiffer [lynx at luchs.at]


Mon, 19 May 2008 22:04:10 +0200

On May 19, 2008 at 1205 -0700, Rick Moen appeared and said:

> Quoting René Pfeiffer ([email protected]):
>
> > On May 16, 2008 at 2027 -0400, Ben Okopnik appeared and said:
> > > Yeah, it's all the news now, so I figured I'd kick in my bit. :)
> >
> > What I forgot to mention, here's an interesting blog posting of one of
> > the OpenSSL developers. Make sure you read the comments, too.
> >
> > http://www.links.org/?p=3D327
>
> Yes, that's quite a blame-game parade, isn't it?  One of the background
> facts that tends to get lost in even the best coverage of this matter is
> that OpenSSL itself remains hopeless spaghetti code.

I noticed when first encountering its build system and trying to understand where to put the compiler flags. I also took a look at the patched piece of code and the lack of comments. I think a lot of other libraries might have their time bombs set, too. Code review is a nice thing, but someone has to do it instead of just mentioning it.

At the Linuxwochen in Vienna I talked with someone from cacert.org. Apart from the code base there is another problem. Few, if any, CAs have a proper quality management for key and certificate creation. cacert.org has some ideas and I hope to read about them soon. http://hashserver.cacert.org/ is a start, but we need checks like this also when there's no bug around.

Best, René.


Top    Back


Rick Moen [rick at linuxmafia.com]


Mon, 19 May 2008 13:16:58 -0700

Quoting René Pfeiffer ([email protected]):

> At the Linuxwochen in Vienna I talked with someone from cacert.org.
> Apart from the code base there is another problem. Few, if any, CAs have
> a proper quality management for key and certificate creation. cacert.org
> has some ideas and I hope to read about them soon.

Bruce Schneier in Beyond Fear has an entire chapter devoted to debunking the commercial CAs' implication that they properly vet identities. It's the only chapter written in a noticeably irate, outraged spirit; one gets the impression that he's essentially accusing them of massive fraud, charging outrageous sums for services they do not in fact provide, and creating a false sense of protection.

Especially in that light, I respect CAcert's attempt at doing a better job without commercial backing, though I'm lastingly doubtful about putting much trust in at least some of the things they issue. E.g., I haven't bothered to get my Web site https/SSL certificate signed by CAcert's robot certificate authority (http://en.wikipedia.org/wiki/Robot_certificate_authority), because the certification thus achieved is weak and not very meaningful (http://en.wikipedia.org/wiki/CAcert).

But, regardless of my misgivings, I do strongly respect them for making the effort.

> http://hashserver.cacert.org/ is a start, but we need checks like this
> also when there's no bug around.

Bravo to CAcert, for that service!


Top    Back


Rick Moen [rick at linuxmafia.com]


Mon, 19 May 2008 17:53:39 -0700

I wrote:

> As pointed out in the blog comments, deliberately using initialised
^ un-

> memory is clever but misleading; a proper comment code clarifying that
> the practice is intentional would have done a world of good.  This point
> was also raised by Jon Corbet in LWN.net:
> http://lwn.net/Articles/282038/ (subscriber-only until this Thursday)

You can tell when I haven't yet had my coffee.


Top    Back