Predictable SSH Keys: Not So Secure Shell
SSH, or Secure Shell, is an encrypted protocol (using SSL) to connect to another machine. SSH also supports X11 forwarding to get graphical programs running on one machine to display on another. It is much more secure than telnet or other protocols to get to the shell prompt on a remote machine. A key generated by the server verifies that the user is connecting to the correct machine, and had not been diverted to a different (malicious) machine. Some systems assign a user-level key as its only authentication method -- no password required.
Discovered by security expert Luciano Bello, Debian's OpenSSL library was generating predictable random number sequences. This means that content encryption and authentication mechanisms using SSH were all weak, as anyone with free time could use brute-force tactics to break the keys.
The problem extends as far back as 2006, when Debian patched the OpenSSL library to fit the distribution better. The change removed the logic that seeded the OpenSSL random number generator. Without seeding, the random number generator was no longer random.
This isn't limited to only SSH, however, as the vulnerability extends to OpenVPN keys, DNSSEC keys, and key material used in X.509 certificates, and session keys used in SSL/TLS connections. All previously generated keys using OpenSSL versions starting with 0.9.8c-1 should be considered compromised.
The testing and current (etch) Debian versions are affected, but not the old stable (sarge) distribution. For Ubuntu, versions 7.04 (Feisty Fawn), 7.10 (Gutsy Gibbon), and 8.04 LTS (Hardy Heron) are all impacted.
To fix the vulnerability, all systems should download the patch to fix the OpenSSL library. Once the update is applied, weak user keys will be automatically rejected where possible so that new keys can be regenerated.
The known_hosts files should be updated with regenerated keys and old keys deleted. The update contains a ssh-vulnkey tool which can check for vulnerable keys. Unless there is a high degree of confidence that the key was generated on a safe machine (old Debian version), all keys should be regenerated regardless.