Debian OpenSSL: Difference between revisions

From YobiWiki
Jump to navigation Jump to search
← Older editNewer edit →
Content deleted Content added
Line 12: Line 12:
===OpenSSH===
===OpenSSH===
Etch version gives you openssh-blacklist package and ssh-vulnkey in openssh-client
Etch version gives you openssh-blacklist package and ssh-vulnkey in openssh-client
<br>This Etch version has a sshd which checks all client connections against the blacklist so even if the keys are still in authorized_keys you should be safe
<br>This Etch version has a sshd which checks all client connections against the blacklist so even if the keys are still in authorized_keys you should be safe

To generate yourself the vulnerable key set:
wget http://sugar.metasploit.com/ubunturoot.tar.bz2
wget http://metasploit.com/users/hdm/tools/debian-openssl/dokeygen.sh
Put dokeygen.sh in the root of the ubuntu filesystem
Example for RSA 1024 (but RSA keys were upgraded by default to 2048 since Sept 2005)
sudo chroot ubunturoot
for ((i=1;i<32768;i++)); do
echo $i;
/dokeygen.sh $i -t rsa -b 1024 -f /tmp/rsa_1024_$i;
done
Ideally keys & blacklists must be generated on 32 & 64-bit platforms, little & big endian

Then to extract the fingerprints to make the blacklist
for ((i=1;i<32768;i++)); do
if [ -e rsa_1024_$i ]; then
echo $i;
f=$(ssh-keygen -l -f rsa_1024_$i|sed 's/1024 \([0-9a-f:]\+\) rsa.*/\1/;s/://g')
mv rsa_1024_$i $f-$i
mv rsa_1024_$i.pub $f-$i.pub
echo $f |sed 's/^............//'>> blacklist.RSA-1024
fi
done

===OpenSSL===
===OpenSSL===
wget https://launchpad.net/ubuntu/hardy/+source/openssl-blacklist/0.1-0ubuntu0.8.04.2/+files/openssl-blacklist_0.1-0ubuntu0.8.04.2.tar.gz
wget https://launchpad.net/ubuntu/hardy/+source/openssl-blacklist/0.1-0ubuntu0.8.04.2/+files/openssl-blacklist_0.1-0ubuntu0.8.04.2.tar.gz

Revision as of 10:13, 16 May 2008

This is a compilation of my notes on this matter

Links

misc

OpenSSH

Etch version gives you openssh-blacklist package and ssh-vulnkey in openssh-client
This Etch version has a sshd which checks all client connections against the blacklist so even if the keys are still in authorized_keys you should be safe

To generate yourself the vulnerable key set: 

wget http://sugar.metasploit.com/ubunturoot.tar.bz2
wget http://metasploit.com/users/hdm/tools/debian-openssl/dokeygen.sh

Put dokeygen.sh in the root of the ubuntu filesystem Example for RSA 1024 (but RSA keys were upgraded by default to 2048 since Sept 2005) 

sudo chroot ubunturoot
for ((i=1;i<32768;i++)); do 
  echo $i;
  /dokeygen.sh $i -t rsa -b 1024 -f /tmp/rsa_1024_$i; 
done

Ideally keys & blacklists must be generated on 32 & 64-bit platforms, little & big endian

Then to extract the fingerprints to make the blacklist 

for ((i=1;i<32768;i++)); do 
  if [ -e rsa_1024_$i ]; then
    echo $i;
    f=$(ssh-keygen -l -f rsa_1024_$i|sed 's/1024 \([0-9a-f:]\+\) rsa.*/\1/;s/://g') 
    mv rsa_1024_$i $f-$i 
    mv rsa_1024_$i.pub $f-$i.pub 
    echo $f |sed 's/^............//'>> blacklist.RSA-1024 
  fi 
done

OpenSSL

wget https://launchpad.net/ubuntu/hardy/+source/openssl-blacklist/0.1-0ubuntu0.8.04.2/+files/openssl-blacklist_0.1-0ubuntu0.8.04.2.tar.gz
tar xzf openssl-blacklist_0.1-0ubuntu0.8.04.2.tar.gz
cd openssl-blacklist-0.1
Edit debian/control and cleans the dependence on openssl for Ubuntu
fakeroot debian/rules binary
cd ..
sudo dpkg -i openssl-blacklist_0.1-0ubuntu0.8.04.2_all.deb

Now you have openssl-vulnkey tool

OpenVPN

It's not about the SSL keys, those can be checked with openssl-vulnkey.
It's about the shared static keys (openvpn -genkey) 

wget https://launchpad.net/ubuntu/hardy/+source/openvpn-blacklist/0.1-0ubuntu0.8.04.1/+files/openvpn-blacklist_0.1-0ubuntu0.8.04.1.tar.gz
tar xzf openvpn-blacklist_0.1-0ubuntu0.8.04.1.tar.gz
cd openvpn-blacklist-0.1
fakeroot debian/rules binary
cd ..
sudo dpkg -i openvpn-blacklist_0.1-0ubuntu0.8.04.1_all.deb

Now you have openvpn-vulnkey tool

Others

  • encfs
    • My key is older, ouf!
Retrieved from "https://wiki.yobi.be/index.php?title=Debian_OpenSSL&oldid=4408"