Debian-news is about one simple thing - news about Debian GNU/Linux and the top free distributions based on Debian GNU/Linux.


 

debian infrastructure ssh key logins disabled, passwords reset

Due to the weakness in our openssl's random number generator (see the
Debian Security Advisory #1571 from a few minutes ago) that affects
among other things ssh keys we have disabled public key auth on all
project systems until further notice.
Hi,

this email contains several important points. Please read all of it
carefully.

Due to the weakness in our openssl's random number generator (see the
Debian Security Advisory #1571 from a few minutes ago[1]) that affects
among other things ssh keys we have disabled public key auth on all
project systems until further notice.

If you operate a service on debian.org machines that requires key based
auth for instance to transfer stuff between hosts or to push rebuilds
please contact DSA[2] after you verified the keys in question are safe,
or have replaced them. We can enable individual accounts' key based
access.

Export of ssh keys from the LDAP to our machines is currently disabled,
and will be enabled only after we have cleared all ssh keys from the
database and put resonable safeguards in place to prevent people from
uploading bad keys. An announcement will be made on the mailinglist
debian-infrastructure-announce[4] at such time. There is no point
in adding new keys to the ldap right now.

Since the nature of the crypto used in ssh cannot ensure confidentiality
if either side uses weak random numbers[5] we have also randomized all
user passwords in LDAP. Feel free to request a new one using the
standard password recovery procedure[6], but only use the new password
once you have upgraded your client system! (We are upgrading the
servers at this moment.)

We will also have to replace several ssh host keys. We'll try to
keep db.d.o[7] as current as possible. Once we are done a new
list will be posted to dia[4].

We also had to replace the SSL certificate on db.debian.org because
its CA which is operated by Software in the Public Interest (SPI) is
known to have been created with a SSL with the bug. The new SPI
CA can be found at the SPI's secretary page[8], its fingerprints
signed by Joerg Jaspert's GPG key. They are:
SHA1: AF:70:88:43:83:82:02:15:CD:61:C6:BC:EC:FD:37:24:A9:90:43:1C
MD5: 2A:47:9F:60:BB:83:74:6F:01:03:D7:0B:0D:F6:0D:78
[A copy of the cert is available at http://ca.debian.org/spi-cacert.crt>]

Should you choose not to import SPI's root CA into your brower then
you can just accept the new cert for db.debian.org. Its fingerprints
are:
SHA1: 11:0D:E1:07:19:27:36:22:C5:CD:19:D6:E6:33:44:A2:C6:61:F7:B1
MD5: BA:6C:17:D5:38:52:80:47:A9:7F:32:BE:CF:4C:45:D4

SSL certs for other services will be replaced in the next few
hours/days as time permits.

Thanks,
Your Debian System Administrators

1. http://lists.debian.org/debian-security-announce/2008/msg00152.html
2. debian-admin@lists.debian.org, or through the request tracker[3]
3. http://wiki.debian.org/rt.debian.org
4. http://lists.debian.org/debian-infrastructure-announce/
5. this is pure speculation on my part, and I'd love to be proven wrong.
Alas, I think I'm right.
6. http://db.debian.org/password.html
7. https://db.debian.org/doc-hosts.html
8. http://www.spi-inc.org/secretary

No Response to “debian infrastructure ssh key logins disabled, passwords reset” »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *


*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Debian-News is not related to the Debian Project.
All logos and trademarks on this site are property of their respective owners.