Difference between revisions of "Debian OpenSSL"
Jump to navigation
Jump to search
m (→OpenSSH) |
|||
| Line 13: | Line 13: | ||
Etch version gives you openssh-blacklist package and ssh-vulnkey in openssh-client |
Etch version gives you openssh-blacklist package and ssh-vulnkey in openssh-client |
||
<br>This Etch version has a sshd which checks all client connections against the blacklist so even if the keys are still in authorized_keys you should be safe |
<br>This Etch version has a sshd which checks all client connections against the blacklist so even if the keys are still in authorized_keys you should be safe |
||
| + | ====Renew server keys==== |
||
| + | <source lang=bash> |
||
| + | mv /etc/ssh/ssh_host_dsa_key /etc/ssh/ssh_host_dsa_key.broken |
||
| + | mv /etc/ssh/ssh_host_dsa_key.pub /etc/ssh/ssh_host_dsa_key.pub.broken |
||
| + | mv /etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_rsa_key.broken |
||
| + | mv /etc/ssh/ssh_host_rsa_key.pub /etc/ssh/ssh_host_rsa_key.pub.broken |
||
| + | dpkg-reconfigure openssh-server |
||
| + | ssh-keygen -l -f /etc/ssh/ssh_host_dsa_key |
||
| + | ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key |
||
| + | </source> |
||
| + | ====Generate vuln keys & blacklists==== |
||
To generate yourself the vulnerable key set: |
To generate yourself the vulnerable key set: |
||
wget http://sugar.metasploit.com/ubunturoot.tar.bz2 |
wget http://sugar.metasploit.com/ubunturoot.tar.bz2 |
||
| Line 19: | Line 30: | ||
Put dokeygen.sh in the root of the ubuntu filesystem |
Put dokeygen.sh in the root of the ubuntu filesystem |
||
Example for RSA 1024 (but RSA keys were upgraded by default to 2048 since Sept 2005) |
Example for RSA 1024 (but RSA keys were upgraded by default to 2048 since Sept 2005) |
||
| + | <source lang=bash> |
||
| − | + | sudo chroot ubunturoot |
|
| − | + | for ((i=1;i<32768;i++)); do |
|
| ⚫ | |||
| + | echo $i; |
||
| − | + | /dokeygen.sh $i -t rsa -b 1024 -f /tmp/rsa_1024_$i; |
|
| − | + | done |
|
| + | </source> |
||
Ideally keys & blacklists must be generated on 32 & 64-bit platforms, little & big endian |
Ideally keys & blacklists must be generated on 32 & 64-bit platforms, little & big endian |
||
Then to extract the fingerprints to make the blacklist |
Then to extract the fingerprints to make the blacklist |
||
| + | <source lang=bash> |
||
| − | + | for ((i=1;i<32768;i++)); do |
|
| ⚫ | |||
| − | + | if [ -e rsa_1024_$i ]; then |
|
| ⚫ | |||
| − | f=$(ssh-keygen -l -f rsa_1024_$i|sed 's/1024 \([0-9a-f:]\+\) rsa.*/\1/;s/://g') |
||
| − | + | f=$(ssh-keygen -l -f rsa_1024_$i|sed 's/1024 \([0-9a-f:]\+\) rsa.*/\1/;s/://g') |
|
| − | + | mv rsa_1024_$i $f-$i |
|
| ⚫ | |||
| − | + | echo $f |sed 's/^............//'>> blacklist.RSA-1024 |
|
| − | + | fi |
|
| − | + | done |
|
| + | </source> |
||
===OpenSSL=== |
===OpenSSL=== |
||
Revision as of 12:15, 16 May 2008
This is a compilation of my notes on this matter
Links
- http://www.debian.org/security/2008/dsa-1576
- http://www.debian.org/security/key-rollover/
- http://metasploit.com/users/hdm/tools/debian-openssl/
- http://www.milw0rm.com/exploits/5622
- http://www.yobi.be/files/blacklist.RSA-1024 32-bit Intel platform
misc
OpenSSH
Etch version gives you openssh-blacklist package and ssh-vulnkey in openssh-client
This Etch version has a sshd which checks all client connections against the blacklist so even if the keys are still in authorized_keys you should be safe
Renew server keys
mv /etc/ssh/ssh_host_dsa_key /etc/ssh/ssh_host_dsa_key.broken
mv /etc/ssh/ssh_host_dsa_key.pub /etc/ssh/ssh_host_dsa_key.pub.broken
mv /etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_rsa_key.broken
mv /etc/ssh/ssh_host_rsa_key.pub /etc/ssh/ssh_host_rsa_key.pub.broken
dpkg-reconfigure openssh-server
ssh-keygen -l -f /etc/ssh/ssh_host_dsa_key
ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key
Generate vuln keys & blacklists
To generate yourself the vulnerable key set:
wget http://sugar.metasploit.com/ubunturoot.tar.bz2 wget http://metasploit.com/users/hdm/tools/debian-openssl/dokeygen.sh
Put dokeygen.sh in the root of the ubuntu filesystem Example for RSA 1024 (but RSA keys were upgraded by default to 2048 since Sept 2005)
sudo chroot ubunturoot
for ((i=1;i<32768;i++)); do
echo $i;
/dokeygen.sh $i -t rsa -b 1024 -f /tmp/rsa_1024_$i;
done
Ideally keys & blacklists must be generated on 32 & 64-bit platforms, little & big endian
Then to extract the fingerprints to make the blacklist
for ((i=1;i<32768;i++)); do
if [ -e rsa_1024_$i ]; then
echo $i;
f=$(ssh-keygen -l -f rsa_1024_$i|sed 's/1024 \([0-9a-f:]\+\) rsa.*/\1/;s/://g')
mv rsa_1024_$i $f-$i
mv rsa_1024_$i.pub $f-$i.pub
echo $f |sed 's/^............//'>> blacklist.RSA-1024
fi
done
OpenSSL
wget https://launchpad.net/ubuntu/hardy/+source/openssl-blacklist/0.1-0ubuntu0.8.04.2/+files/openssl-blacklist_0.1-0ubuntu0.8.04.2.tar.gz tar xzf openssl-blacklist_0.1-0ubuntu0.8.04.2.tar.gz cd openssl-blacklist-0.1 Edit debian/control and cleans the dependence on openssl for Ubuntu fakeroot debian/rules binary cd .. sudo dpkg -i openssl-blacklist_0.1-0ubuntu0.8.04.2_all.deb
Now you have openssl-vulnkey tool
OpenVPN
It's not about the SSL keys, those can be checked with openssl-vulnkey.
It's about the shared static keys (openvpn -genkey)
wget https://launchpad.net/ubuntu/hardy/+source/openvpn-blacklist/0.1-0ubuntu0.8.04.1/+files/openvpn-blacklist_0.1-0ubuntu0.8.04.1.tar.gz tar xzf openvpn-blacklist_0.1-0ubuntu0.8.04.1.tar.gz cd openvpn-blacklist-0.1 fakeroot debian/rules binary cd .. sudo dpkg -i openvpn-blacklist_0.1-0ubuntu0.8.04.1_all.deb
Now you have openvpn-vulnkey tool
Others
- encfs
- My key is older, ouf!