heads up on svn.python.org ssh keys - debian/ubuntu users may need new ones
Heads up. Debian screwed up. As a result all ssh and ssl keys generated in the last 18 months on debian and ubuntu systems may be compromised due to not using a good random number generator seed. http://lists.debian.org/debian-security-announce/2008/msg00152.html and http://www.links.org/?p=327 If you generated your python subversion ssh key during this time on a machine fitting the description above, please consider replacing your keys. apt-get update ; apt-get upgrade on debian will provide you with a ssh-vulnkey program that can be used to test if your ssh keys are valid or not. -gps
2008/5/13 Gregory P. Smith
Heads up.
Debian screwed up. As a result all ssh and ssl keys generated in the last 18 months on debian and ubuntu systems may be compromised due to not using a good random number generator seed. http://lists.debian.org/debian-security-announce/2008/msg00152.html and http://www.links.org/?p=327
If you generated your python subversion ssh key during this time on a machine fitting the description above, please consider replacing your keys.
apt-get update ; apt-get upgrade on debian will provide you with a ssh-vulnkey program that can be used to test if your ssh keys are valid or not.
Thanks for pointing it out Gregory. ssh-vulnkey says most of my keys are compromised, including the one used for python's svn.
-gps _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/ggpolo%40gmail.com
-- -- Guilherme H. Polo Goncalves
On Tue, May 13, 2008 at 1:45 PM, Guilherme Polo
Thanks for pointing it out Gregory.
ssh-vulnkey says most of my keys are compromised, including the one used for python's svn.
Then according to the developer FAQ, you should change your keys and email pydotorg@python.org . -- Cheers, Benjamin Peterson "There's no place like 127.0.0.1."
If you generated your python subversion ssh key during this time on a machine fitting the description above, please consider replacing your keys.
apt-get update ; apt-get upgrade on debian will provide you with a ssh-vulnkey program that can be used to test if your ssh keys are valid or not.
I'll ping all committers for which ssh-vulnkey reports COMPROMISED. I personally don't think the threat is severe - unless people also published their public SSH keys somewhere, there is little chance that somebody can break in by just guessing them remotely - you still need to try a lot of combinations for user names and passwords, plus with subversion, we'll easily recognize doubtful checkins (as we do even if the committer is legitimate :-). Regards, Martin
On Tue, May 13, 2008 at 7:12 PM, "Martin v. Löwis"
If you generated your python subversion ssh key during this time on a machine fitting the description above, please consider replacing your keys.
apt-get update ; apt-get upgrade on debian will provide you with a ssh-vulnkey program that can be used to test if your ssh keys are valid or not.
I'll ping all committers for which ssh-vulnkey reports COMPROMISED.
I personally don't think the threat is severe - unless people also published their public SSH keys somewhere, there is little chance that somebody can break in by just guessing them remotely - you still need to try a lot of combinations for user names and passwords, plus with subversion, we'll easily recognize doubtful checkins (as we do even if the committer is legitimate :-).
Well, I had a break in on my public server (peadrop.com) this week, which had a copy my ssh pubkey. I don't know if the attacker took a look at my pubkeys, but I won't take any change. So, I definitely have to change my key, ASAP. -- Alexandre
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On May 13, 2008, at 7:12 PM, Martin v. Löwis wrote:
If you generated your python subversion ssh key during this time on a machine fitting the description above, please consider replacing your keys.
apt-get update ; apt-get upgrade on debian will provide you with a ssh-vulnkey program that can be used to test if your ssh keys are valid or not.
I'll ping all committers for which ssh-vulnkey reports COMPROMISED.
I personally don't think the threat is severe - unless people also published their public SSH keys somewhere, there is little chance that somebody can break in by just guessing them remotely - you still need to try a lot of combinations for user names and passwords, plus with subversion, we'll easily recognize doubtful checkins (as we do even if the committer is legitimate :-).
It's also probably worth checking the keys for everyone who has shell access on the python.org machines. - -Barry -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) iQCVAwUBSCpCXHEjvBPtnXfVAQLy5gP+MZJ7/RKDqw9QKvNr9rlGm7GjOBkuWR3B UA91clzb4Iuy+51+V4B3iUcdmwGtpfYum8/2+1/qpi7abO/IiIQvvOKczQzkv5XL ALh59zR2iiBuNg1BVW0JPdkyNt6qr2oe8kKdUZfyrwRSKIukX+e40Oa+1zvfp0E7 9AumiqMUCtI= =EXC8 -----END PGP SIGNATURE-----
participants (6)
-
"Martin v. Löwis" -
Alexandre Vassalotti -
Barry Warsaw -
Benjamin Peterson -
Gregory P. Smith -
Guilherme Polo