Difference between revisions of "Debian OpenSSL"
Jump to navigation
Jump to search
m (→Links) |
|||
| Line 12: | Line 12: | ||
===OpenSSH=== |
===OpenSSH=== |
||
Etch version gives you openssh-blacklist package and ssh-vulnkey in openssh-client |
Etch version gives you openssh-blacklist package and ssh-vulnkey in openssh-client |
||
| − | <br>This Etch version has a sshd which checks all client connections against the blacklist so even if the keys are still in authorized_keys you should be safe |
+ | <br>This Etch version has a sshd which checks all client connections against the blacklist so even if the keys are still in authorized_keys you should be safe |
| + | |||
| + | To generate yourself the vulnerable key set: |
||
| + | wget http://sugar.metasploit.com/ubunturoot.tar.bz2 |
||
| + | wget http://metasploit.com/users/hdm/tools/debian-openssl/dokeygen.sh |
||
| + | Put dokeygen.sh in the root of the ubuntu filesystem |
||
| + | Example for RSA 1024 (but RSA keys were upgraded by default to 2048 since Sept 2005) |
||
| + | sudo chroot ubunturoot |
||
| + | for ((i=1;i<32768;i++)); do |
||
| + | echo $i; |
||
| + | /dokeygen.sh $i -t rsa -b 1024 -f /tmp/rsa_1024_$i; |
||
| + | done |
||
| + | Ideally keys & blacklists must be generated on 32 & 64-bit platforms, little & big endian |
||
| + | |||
| + | Then to extract the fingerprints to make the blacklist |
||
| + | for ((i=1;i<32768;i++)); do |
||
| + | if [ -e rsa_1024_$i ]; then |
||
| + | echo $i; |
||
| + | f=$(ssh-keygen -l -f rsa_1024_$i|sed 's/1024 \([0-9a-f:]\+\) rsa.*/\1/;s/://g') |
||
| + | mv rsa_1024_$i $f-$i |
||
| + | mv rsa_1024_$i.pub $f-$i.pub |
||
| + | echo $f |sed 's/^............//'>> blacklist.RSA-1024 |
||
| + | fi |
||
| + | done |
||
| + | |||
===OpenSSL=== |
===OpenSSL=== |
||
wget https://launchpad.net/ubuntu/hardy/+source/openssl-blacklist/0.1-0ubuntu0.8.04.2/+files/openssl-blacklist_0.1-0ubuntu0.8.04.2.tar.gz |
wget https://launchpad.net/ubuntu/hardy/+source/openssl-blacklist/0.1-0ubuntu0.8.04.2/+files/openssl-blacklist_0.1-0ubuntu0.8.04.2.tar.gz |
||
Revision as of 11:13, 16 May 2008
This is a compilation of my notes on this matter
Links
- http://www.debian.org/security/2008/dsa-1576
- http://www.debian.org/security/key-rollover/
- http://metasploit.com/users/hdm/tools/debian-openssl/
- http://www.milw0rm.com/exploits/5622
- http://www.yobi.be/files/blacklist.RSA-1024 32-bit Intel platform
misc
OpenSSH
Etch version gives you openssh-blacklist package and ssh-vulnkey in openssh-client
This Etch version has a sshd which checks all client connections against the blacklist so even if the keys are still in authorized_keys you should be safe
To generate yourself the vulnerable key set:
wget http://sugar.metasploit.com/ubunturoot.tar.bz2 wget http://metasploit.com/users/hdm/tools/debian-openssl/dokeygen.sh
Put dokeygen.sh in the root of the ubuntu filesystem Example for RSA 1024 (but RSA keys were upgraded by default to 2048 since Sept 2005)
sudo chroot ubunturoot for ((i=1;i<32768;i++)); do echo $i; /dokeygen.sh $i -t rsa -b 1024 -f /tmp/rsa_1024_$i; done
Ideally keys & blacklists must be generated on 32 & 64-bit platforms, little & big endian
Then to extract the fingerprints to make the blacklist
for ((i=1;i<32768;i++)); do
if [ -e rsa_1024_$i ]; then
echo $i;
f=$(ssh-keygen -l -f rsa_1024_$i|sed 's/1024 \([0-9a-f:]\+\) rsa.*/\1/;s/://g')
mv rsa_1024_$i $f-$i
mv rsa_1024_$i.pub $f-$i.pub
echo $f |sed 's/^............//'>> blacklist.RSA-1024
fi
done
OpenSSL
wget https://launchpad.net/ubuntu/hardy/+source/openssl-blacklist/0.1-0ubuntu0.8.04.2/+files/openssl-blacklist_0.1-0ubuntu0.8.04.2.tar.gz tar xzf openssl-blacklist_0.1-0ubuntu0.8.04.2.tar.gz cd openssl-blacklist-0.1 Edit debian/control and cleans the dependence on openssl for Ubuntu fakeroot debian/rules binary cd .. sudo dpkg -i openssl-blacklist_0.1-0ubuntu0.8.04.2_all.deb
Now you have openssl-vulnkey tool
OpenVPN
It's not about the SSL keys, those can be checked with openssl-vulnkey.
It's about the shared static keys (openvpn -genkey)
wget https://launchpad.net/ubuntu/hardy/+source/openvpn-blacklist/0.1-0ubuntu0.8.04.1/+files/openvpn-blacklist_0.1-0ubuntu0.8.04.1.tar.gz tar xzf openvpn-blacklist_0.1-0ubuntu0.8.04.1.tar.gz cd openvpn-blacklist-0.1 fakeroot debian/rules binary cd .. sudo dpkg -i openvpn-blacklist_0.1-0ubuntu0.8.04.1_all.deb
Now you have openvpn-vulnkey tool
Others
- encfs
- My key is older, ouf!