Bonum Certa Men Certa

The Notorious, Catastrophic 2008 Debian OpenSSH Vulnerability

posted by Roy Schestowitz on Jun 08, 2024,
updated Jun 08, 2024

Debian logo

Debian OpenSSH Vulnerability, Jasone Blevins. (2008)

In May 2008, a bug was discovered in the Debian OpenSSL package which affected the seeding of the random number generator (RNG) used to generate keys. Any SSH keys generated by affected systems should be considered compromised. GnuPG keys are not affected. See the official Debian security advisory for details.

This does not mean that an attacker could immediately guess your private key, but because there was significantly less entropy being introduced into the seeding of the RNG, the key space was significantly reduced making a brute-force attack feasible. As I understand it, the primary source of entropy for seeding the RNG was originally uninitialized memory from the heap. Additional, more predictable components like the current process ID (an integer between 1 and 32,768) were also used. Due to an erroneous patch introduced in September 2006, uninitialized memory was no longer used in seeding the RNG leaving the process ID as the primary source of randomness. Thus, generated keys can be predicted to the extent that one knows how soon after boot time a key was generated. For example, SSH host keys are usually generated immediately after installation and so they are likely to have been generated by a processes with IDs, say, less than 500.

If it were not for this ever so small bit of “randomness,” this bug would likely have been discovered much sooner, before the patch made it to stable distributions, as someone would have noticed that all their SSH keys were the same. Unfortunately, as they say, bad cryptography looks the same as good cryptography.

Once the bug was discovered, Debian security updates were released that blacklisted the vulnerable keys, causing the system to fall back to a password-based login. If you have an affected key and try to log into an updated system, you may see a message like the following:

Public key 81:e6:75:64:17:5f:e2:ff:12:c3:ac:85:43:1e:6a:3c blacklisted (see ssh-vulnkey(1)); refusing to send it 

Thus as long as your system is up to date, you can sleep well knowing that it won’t be compromised and update your key at your leisure. However, if you have been used to using ssh-agent and key-based authentication, typing your password over and over will soon become burdensome and you’ll want to generate a new key.

The remainder of this article discusses how to check your key and generate a new one if necessary. If you would like to read more about the situation, Russ Cox wrote a very nice article which provides some technical background and documents the decisions leading up to the offending patch.

Read on...

Other Recent Techrights' Posts

Google News is Rewarding Slopfarms, Not Journalism
Don't read junk from chatbots
Richard Stallman, Whose Site is Trusted by Greater Manchester, Has Come to the United Kingdom
He doesn't suck up to the Crown, so he'll never be "knighted"
On Desktops/Laptops in Singapore Does a Fifth of Users Run GNU/Linux?
Probably not, but it's growing fast there
Links 21/04/2025: Fake Ceasefire and Software Patents (Fake Patents) Thrown Out
Links for the day
4 Years Ago Freenode Crumbled From Within
there are still hundreds of thousands of users online at any given time
Microsoft Has Tainted GNOME, Which Has Key People Acting as a SLAPP Front Against Techrights (Trying to Censor the Site by Extortion and Many Threats)
One common denominator (other than Microsoft salaries) is GNOME, which was led by an actual professional crank until she quit so suddenly months ago
Homeland of Linux Kernel Turning to GNU/Linux?
Adoption of Vista 11 has been relatively low
 
Gemini Links 21/04/2025: Remembering Pope Francis, Crystal Simulation
Links for the day
Doing Microsoft's Job. On IBM's Payroll.
today's Red Hat cannot recognise threats even after a head-on collision
Teaching GAFAM in Schools is Like Teaching Children to Smoke Tobacco
So suggests an FSF presentation
Companies With Fake Values and a Fake Economic/Financial State (Phony Valuations)
It'll all go up in smoke, eventually
Links 21/04/2025: Microsoft LLM Slop (Plagiarism) Going Out of Control, CT Scans' Cancer Problems Was Underrated
Links for the day
GNOME Has a Long History (Over a Decade) Misusing the Code of Conduct (CoC) to Censor (Cull) Legitimate Technical Criticism
This has nothing to do with manners, it's about control (by cover-up)
According to StatCounter, This is What Linux Adoption Looks Like (Based on Web Requests Visible to StatCounter)
How much worse will it get for Microsoft?
Gemini Capsules Still Outsourcing to Certificate Authority Let's Encrypt Now Measured at Less Than 10 (or Less Than 0.3%)
In Geminispace, Let's Encrypt is not commonly used
Twisting Microsoft's Failure (Transmitting Malware) as "SSH Backdoors" and a Linux Problem
Somehow we almost always find that those FUD pieces about "Linux" are based on obvious falsehoods
Vista 11 Has Burned OEMs and Some Move to GNU/Linux
When people can finally avoid Windows (there's no reason to attach it to new PCs) there will be a lot more GNU/Linux users out there
Remember That Microsoft Mass Layoffs Are Imminent Because Its 'Empire' is Falling Apart
European politicians take a long, hard look a Free software
Richard Stallman in the UK This Week, Scheduled to Give Two Public Talks (London and Oxford)
Those talks do not cover the same topics
Gemini Links 21/04/2025: April, Autism, and ASN
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Sunday, April 20, 2025
IRC logs for Sunday, April 20, 2025
Links 20/04/2025: Partly Assorted Scientific and Political Leftovers
Links for the day
Links 20/04/2025: Many Data Breaches and Growing Censorship Wave
Links for the day
Gemini Links 20/04/2025: Canadian Elections and "Use the Best Tools You Have for the Current Environment"
Links for the day
Deja vu: Hitler's Birthday, Andreas Tille elected Debian Project Leader again
Reprinted with permission from Daniel Pocock
Links 20/04/2025: Bleeding Constitution and ChatGPT Infuriates Users Some More
Links for the day
Chinese OEMs (and World's Largest) Pave a Path Out of Microsoft Windows
So Microsoft now values (or prices) Vista 11 at just $140?
Gemini Links 20/04/2025: Contradictions of Mark Carney and Blog Questions Challenge
Links for the day
Microsoft's 'Lawsuit Diplomacy' (SLAPPs Riding UK Libel Law and Piggybacking UK GDPR, Inapplicable!) Will Only Give a Worse Image to Microsofters (and Microsoft), Give Exposure to Even More Suppressed Facts and Scandals
Microsoft came to dominate some sectors because of (or owing to) crimes; Microsoft won't just go away without some more crimes.
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Saturday, April 19, 2025
IRC logs for Saturday, April 19, 2025
Five (or Three) Years Without Social Control Media
Glyn Moody quit X (Twitter)
Electronics in People's Bedrooms
Modern technology not only blurred the gap between "functions" of rooms
Why GNU/Linux is Growing
There's growing interest in GNU/Linux right now because people do not fancy buying a new PC just to 'upgrade' (more spying) Windows
Gemini Links 19/04/2025: Contingencies, GTD, and Old Computers
Links for the day
Links 19/04/2025: Economic Races, Charm Offensives, and USB-C Rants
Links for the day
Links 19/04/2025: "Infantilization at Big Tech" and LLM Slop Abused in Defiance of Workplace Rules/Policies
Links for the day
Gemini Links 19/04/2025: Palm Addiction and Real Experts
Links for the day
Egypt is Controlled by Google, Not Microsoft
Moving from Microsoft to Google is not the answer
Microsofters Say They Cannot Find a Job (That They Want) Because of Techrights, But Techrights Merely Reported on Their Behaviour
Quit pointing the finger at people who are recipients of abuse or merely mention the abuse
Free Software and Standards - Not Marketing Blitz - Needed Amid Growing Severity of Dependency on Hostile Suppliers (or Another Country's Sovereignty)
ZenDiS can be described as the "Center for Digital Sovereignty of Public Administration"
When It Comes to the Web, Google is Evil and It Destroys the Web's Integrity With LLM Slop
Even academia, which is meant to keep standards high, is being lured into LLM slop
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Friday, April 18, 2025
IRC logs for Friday, April 18, 2025