Skip to main content
Welcome guest. | Register | Login | Post

Updating RSA keys and known_hosts (in the wake of the recent Debian vulnerability)

4 replies [Last post]
libervisco's picture
Offline
Joined: 2006-05-04

My first word of this was from Gustavo, and I later read more about it on computerworld. Apparently, all SSL and SSH keys generated between September 17th 2006 and May 13th 2008 are due to a bug discovered on May 13 vulnerable to brute force attacks.

My server, which I call "libernode", but is actually the main server of Libervis Network (and soon to host both Libervis.com and Nuxified.org) runs Debian and the latest update fixed the hole and forced regeneration of all keys (at least I think so, but I'll have to check again with the supplied ssh-vulnkey. Luckily we only have few SSH users, most of which are Nuxified members. Smiling

I wanted to send an email notification about this, just in case anyone wants to connect, but couldn't (faced with the "remote host identification has changed" warning), however I'm not sure what to recommend as a way to update the .ssh/known_hosts file. I personally don't mind just deleting it and then answering "yes" again to SSH prompts, but there might be a better way to recommend to others.. I looked around a bit, but couldn't find it.. they just usually say to update it..

And manually editing the file is scary.. it only contains long strings of numbers and letters so it's not easy to know which key is for what server.

Thanks

Gustavo's picture
Offline
Joined: 2006-09-11
Hi, Danijel!Here's the

Hi, Danijel!

Here's the summary:

On your Debian server:

# upgrade
sudo aptitude update
sudo aptitude dist-upgrade

# check the fingerprint of the new key:
ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key

# restart
sudo shutdown -r now

Now remove your server's previous pub key (which is the doubt you had):

# on your computer...
ssh-keygen -R example.org

On your computer:

# upgrade your computer:
sudo aptitude update
sudo aptitude upgrade

# create  a new RSA key; store it at, say, /home/you/.ssh/safe_id_rsa
ssh-keygen -t rsa

# updating your public key on your server (replace example.org by your IP or host name)
scp .ssh/safe_id_rsa.pub example.org:.ssh/authorized_keys

# backup previous keys:
cd ~/.ssh
mv id_rsa id_rsa.old
mv id_rsa.pub id_rsa.pub.old

# using the newly created, safe keys:
mv safe_id_rsa id_rsa
mv safe_id_rsa.pub id_rsa.pub

Now, try accessing your server again. You will get two warnings, which should be accepted if and only if the fingerprint matches the one in the output of 'ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key'.

HTH.

libervisco's picture
Offline
Joined: 2006-05-04
Thanks Gustavo. It does

Thanks Gustavo. It does help, although my original intention wasn't to change the way I authenticate to my server, but rather to just see if there's a better way for other SSH users to remove the old server key from their known_hosts file now that the updated changed them.

So the command to do that is ssh-keygen -R example.org and I just need to tell them to replace example.org with libervis.net or whatever other hostname they saved the given IP as. I suppose even a full IP address would work here? Some might be accessing it with an IP directly, through "libervis.net" or by an alias (like I use at home: @libernod where libernod is in /etc/hosts mapped to my server IP).

I did go through your steps anyway so I have password-less login.

Though I still wonder why is that any more secure, to be honest? I mean, generally, now anyone with access to my computer while it is on can just pop into my server with no question. I think even if someone was to in some odd circumstances hack into my desktop home user he could now also gain access to my server as well, right? Isn't it better to have a password in my head instead of a key on my computer, as being required to access? I guess both is best, but somehow, when choosing between the two, unless I'm missing something, password seems better.

But I'm obviously not an expert on this. Smiling

Thank you

Offline
Joined: 2006-03-28
The server-key is stored

The server-key is stored together with either the hostname or the IP. Thus it is possible to just delete the corresponding line from ~/.ssh/known_hosts.
I've done that a few times without any problems.

libervisco's picture
Offline
Joined: 2006-05-04
I see. Well I sent the

I see. Smiling Well I sent the mail already so everyone who uses the server knows what's happening at least. I just suggested running ssh-keygen -R libervis.net to remove the old key. To be honest though, most users either rarely use SSH or are quite savvy about it anyway. Eye

Thanks

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.