17th
September
2008
Quickly check for Debian SSH/SSL key weakness
posted in Uncategorized |
As you must know, there is a major problem in Debian/Ubuntu SSL package. It's a very old bug depending on PRNG (pseudo random number generator). How to check your key pair ?
You can find two files containing all the key space on http://metasploit.com/users/hdm/tools/debian-openssl/. If you want to know if your key is in, it's simple. Extract on of the files (depending on key type and size). Files are named from fingerprint of the public key, so :
Just get your fingerprint with :
% ssh-keygen -l -f id_dsa | cut -d " " -f 2 | sed "s/://g" f9040774bddfdfed7c2fccdfac60ad26
Then check for the file in key space with ls. Simple huh ?! If your key is in, it's bad. To get access to your system, the only thing to make is to try every keys in the key space (check for MaxAuthTries in sshd_config). It's just a question of time...
This entry was posted
on Wednesday, September 17th, 2008 at 10:53 am and is filed under Uncategorized.
You can follow any responses to this entry through the RSS 2.0 feed.
You can skip to the end and leave a response. Pinging is currently not allowed.