[QCLUG] Virus in Ubuntu

Steve Langasek vorlon@dodds.net
Wed, 14 May 2008 21:59:31 -0700 

On Wed, May 14, 2008 at 08:40:17PM -0500, Dave Bergert wrote:
> Speaking of Linux Security ...

> Has anyone see this:
> http://isc.sans.org/diary.html?storyid=4414

Yes.

> OpenSSH: Predictable PRNG in debian and ubuntu Linux

> Any comments or thoughts ?

Take it seriously.  If you're running Debian or Ubuntu (or a derivative
thereof based on something newer than sarge/edgy), follow the directions in
the security advisories to get your system updated and generate new host and
user keys to replace any vulnerable ones.  If you have a DSA SSH key (not
the default) that you've used to *authenticate* to/from a host affected by
this issue, consider that this key may be compromised and replace it even if
it was not generated on a vulnerable system.

Debian's alioth code hosting service has taken the precaution of disabling
all use of DSA keys for authentication, allowing only RSA2 keys to be used
for access.  This is a very broad policy change and may conceivably be
reversed in the future once the storm has passed, but for the time being
this is a prudent course of action given that a DSA key belonging to any
random user on their (or your, or anyone's) host could already be
compromised without their knowledge and used as a vector for further
compromising, or could be compromised in the very process of using it if the
remote user has not yet upgraded their vulnerable OpenSSL implementation.

  http://lists.debian.org/debian-devel-announce/2008/05/msg00004.html

So even if *you* don't run any Debian or Ubuntu systems, if you run any
server that allows other users to log in, disabling DSA authentication
altogether is something you may want to consider.  Unfortunately, there
doesn't seem to be a way to do this in general with OpenSSH at present. 
However, one precautionary step to take is to disable the DSA host key on
the server side, by commenting out the 'HostKey /etc/ssh/ssh_host_dsa_key'
line in /etc/ssh/sshd_config.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org