Difference between revisions of "Debian OpenSSL"

From YobiWiki
Jump to navigation Jump to search
Line 13: Line 13:
 
Etch version gives you openssh-blacklist package and ssh-vulnkey in openssh-client
 
Etch version gives you openssh-blacklist package and ssh-vulnkey in openssh-client
 
<br>This Etch version has a sshd which checks all client connections against the blacklist so even if the keys are still in authorized_keys you should be safe
 
<br>This Etch version has a sshd which checks all client connections against the blacklist so even if the keys are still in authorized_keys you should be safe
  +
====Renew server keys====
  +
<source lang=bash>
  +
mv /etc/ssh/ssh_host_dsa_key /etc/ssh/ssh_host_dsa_key.broken
  +
mv /etc/ssh/ssh_host_dsa_key.pub /etc/ssh/ssh_host_dsa_key.pub.broken
  +
mv /etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_rsa_key.broken
  +
mv /etc/ssh/ssh_host_rsa_key.pub /etc/ssh/ssh_host_rsa_key.pub.broken
  +
dpkg-reconfigure openssh-server
  +
ssh-keygen -l -f /etc/ssh/ssh_host_dsa_key
  +
ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key
  +
</source>
   
  +
====Generate vuln keys & blacklists====
 
To generate yourself the vulnerable key set:
 
To generate yourself the vulnerable key set:
 
wget http://sugar.metasploit.com/ubunturoot.tar.bz2
 
wget http://sugar.metasploit.com/ubunturoot.tar.bz2
Line 19: Line 30:
 
Put dokeygen.sh in the root of the ubuntu filesystem
 
Put dokeygen.sh in the root of the ubuntu filesystem
 
Example for RSA 1024 (but RSA keys were upgraded by default to 2048 since Sept 2005)
 
Example for RSA 1024 (but RSA keys were upgraded by default to 2048 since Sept 2005)
  +
<source lang=bash>
sudo chroot ubunturoot
+
sudo chroot ubunturoot
for ((i=1;i<32768;i++)); do
+
for ((i=1;i<32768;i++)); do
echo $i;
 
  +
echo $i;
/dokeygen.sh $i -t rsa -b 1024 -f /tmp/rsa_1024_$i;
+
/dokeygen.sh $i -t rsa -b 1024 -f /tmp/rsa_1024_$i;
done
+
done
  +
</source>
 
Ideally keys & blacklists must be generated on 32 & 64-bit platforms, little & big endian
 
Ideally keys & blacklists must be generated on 32 & 64-bit platforms, little & big endian
   
 
Then to extract the fingerprints to make the blacklist
 
Then to extract the fingerprints to make the blacklist
  +
<source lang=bash>
for ((i=1;i<32768;i++)); do
+
for ((i=1;i<32768;i++)); do
if [ -e rsa_1024_$i ]; then
 
echo $i;
+
if [ -e rsa_1024_$i ]; then
 
echo $i;
f=$(ssh-keygen -l -f rsa_1024_$i|sed 's/1024 \([0-9a-f:]\+\) rsa.*/\1/;s/://g')
 
mv rsa_1024_$i $f-$i
+
f=$(ssh-keygen -l -f rsa_1024_$i|sed 's/1024 \([0-9a-f:]\+\) rsa.*/\1/;s/://g')
mv rsa_1024_$i.pub $f-$i.pub
+
mv rsa_1024_$i $f-$i
 
mv rsa_1024_$i.pub $f-$i.pub
echo $f |sed 's/^............//'>> blacklist.RSA-1024
+
echo $f |sed 's/^............//'>> blacklist.RSA-1024
fi
+
fi
done
+
done
  +
</source>
   
 
===OpenSSL===
 
===OpenSSL===

Revision as of 11:15, 16 May 2008

This is a compilation of my notes on this matter

Links

misc

OpenSSH

Etch version gives you openssh-blacklist package and ssh-vulnkey in openssh-client
This Etch version has a sshd which checks all client connections against the blacklist so even if the keys are still in authorized_keys you should be safe

Renew server keys

mv /etc/ssh/ssh_host_dsa_key /etc/ssh/ssh_host_dsa_key.broken
mv /etc/ssh/ssh_host_dsa_key.pub /etc/ssh/ssh_host_dsa_key.pub.broken
mv /etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_rsa_key.broken
mv /etc/ssh/ssh_host_rsa_key.pub /etc/ssh/ssh_host_rsa_key.pub.broken
dpkg-reconfigure openssh-server
ssh-keygen -l -f /etc/ssh/ssh_host_dsa_key
ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key

Generate vuln keys & blacklists

To generate yourself the vulnerable key set:

wget http://sugar.metasploit.com/ubunturoot.tar.bz2
wget http://metasploit.com/users/hdm/tools/debian-openssl/dokeygen.sh

Put dokeygen.sh in the root of the ubuntu filesystem Example for RSA 1024 (but RSA keys were upgraded by default to 2048 since Sept 2005)

sudo chroot ubunturoot
for ((i=1;i<32768;i++)); do 
  echo $i;
  /dokeygen.sh $i -t rsa -b 1024 -f /tmp/rsa_1024_$i; 
done

Ideally keys & blacklists must be generated on 32 & 64-bit platforms, little & big endian

Then to extract the fingerprints to make the blacklist

for ((i=1;i<32768;i++)); do 
  if [ -e rsa_1024_$i ]; then
    echo $i;
    f=$(ssh-keygen -l -f rsa_1024_$i|sed 's/1024 \([0-9a-f:]\+\) rsa.*/\1/;s/://g') 
    mv rsa_1024_$i $f-$i 
    mv rsa_1024_$i.pub $f-$i.pub 
    echo $f |sed 's/^............//'>> blacklist.RSA-1024 
  fi 
done

OpenSSL

wget https://launchpad.net/ubuntu/hardy/+source/openssl-blacklist/0.1-0ubuntu0.8.04.2/+files/openssl-blacklist_0.1-0ubuntu0.8.04.2.tar.gz
tar xzf openssl-blacklist_0.1-0ubuntu0.8.04.2.tar.gz
cd openssl-blacklist-0.1
Edit debian/control and cleans the dependence on openssl for Ubuntu
fakeroot debian/rules binary
cd ..
sudo dpkg -i openssl-blacklist_0.1-0ubuntu0.8.04.2_all.deb

Now you have openssl-vulnkey tool

OpenVPN

It's not about the SSL keys, those can be checked with openssl-vulnkey.
It's about the shared static keys (openvpn -genkey)

wget https://launchpad.net/ubuntu/hardy/+source/openvpn-blacklist/0.1-0ubuntu0.8.04.1/+files/openvpn-blacklist_0.1-0ubuntu0.8.04.1.tar.gz
tar xzf openvpn-blacklist_0.1-0ubuntu0.8.04.1.tar.gz
cd openvpn-blacklist-0.1
fakeroot debian/rules binary
cd ..
sudo dpkg -i openvpn-blacklist_0.1-0ubuntu0.8.04.1_all.deb

Now you have openvpn-vulnkey tool

Others

  • encfs
    • My key is older, ouf!