Bonum Certa Men Certa

The Notorious, Catastrophic 2008 Debian OpenSSH Vulnerability

posted by Roy Schestowitz on Jun 08, 2024,
updated Jun 08, 2024

Debian logo

Debian OpenSSH Vulnerability, Jasone Blevins. (2008)

In May 2008, a bug was discovered in the Debian OpenSSL package which affected the seeding of the random number generator (RNG) used to generate keys. Any SSH keys generated by affected systems should be considered compromised. GnuPG keys are not affected. See the official Debian security advisory for details.

This does not mean that an attacker could immediately guess your private key, but because there was significantly less entropy being introduced into the seeding of the RNG, the key space was significantly reduced making a brute-force attack feasible. As I understand it, the primary source of entropy for seeding the RNG was originally uninitialized memory from the heap. Additional, more predictable components like the current process ID (an integer between 1 and 32,768) were also used. Due to an erroneous patch introduced in September 2006, uninitialized memory was no longer used in seeding the RNG leaving the process ID as the primary source of randomness. Thus, generated keys can be predicted to the extent that one knows how soon after boot time a key was generated. For example, SSH host keys are usually generated immediately after installation and so they are likely to have been generated by a processes with IDs, say, less than 500.

If it were not for this ever so small bit of “randomness,” this bug would likely have been discovered much sooner, before the patch made it to stable distributions, as someone would have noticed that all their SSH keys were the same. Unfortunately, as they say, bad cryptography looks the same as good cryptography.

Once the bug was discovered, Debian security updates were released that blacklisted the vulnerable keys, causing the system to fall back to a password-based login. If you have an affected key and try to log into an updated system, you may see a message like the following:

Public key 81:e6:75:64:17:5f:e2:ff:12:c3:ac:85:43:1e:6a:3c blacklisted (see ssh-vulnkey(1)); refusing to send it 

Thus as long as your system is up to date, you can sleep well knowing that it won’t be compromised and update your key at your leisure. However, if you have been used to using ssh-agent and key-based authentication, typing your password over and over will soon become burdensome and you’ll want to generate a new key.

The remainder of this article discusses how to check your key and generate a new one if necessary. If you would like to read more about the situation, Russ Cox wrote a very nice article which provides some technical background and documents the decisions leading up to the offending patch.

Read on...

Other Recent Techrights' Posts

US Government: 6.1% of Site Visitors Use GNU/Linux
GNU/Linux has a considerable share and it is growing
Why the FSF No Longer Recommends Debian, as Explained by Richard Stallman This Month
some weeks ago
Defeating LLM Abuse (State-of-the-Art Plagiarism) in the Area of Linux and GNU, Free Software, BSD, Security and So On
The aim is to get them to stop using LLMs to rip off other people's work
Digital Sanitation Good Practices
leave behind Microsoftism
 
As Economies Crumble Free as in Beer Will Matter, Not Just Free as in Freedom/Libre (Libertad)
French regions choosing to embrace Software Freedom
25 Years Ago, an Explanation of How Reducing Free Software to 'Apps' Would Interfere With Freedom Goals
there's nothing unreasonable about it
A List of 63 Known Gemini Clients (Software to Browse Geminispace Content With Gemini Protocol)
Not counting browser plugins for Web browsers
Gemini Links 19/10/2025: "Firma Odin Is Transforming" and Bot Attacks While "AFK"
Links for the day
LLM Slop Could Not Rise to Prominence Without Media Complicity and Artificial Hype
Inane garbage disguised as "journalism"
All the Latest Half Dozen Articles by Mehedi Hasan (UbuntuPIT) Only Admit at the End That He's Using LLM Slop
Disclosure is OK, but the practice of using slop is not
The 'Modern' Web of Fake Security and Easy Censorship of Whole Domains
Each year it gets worse
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Saturday, October 18, 2025
IRC logs for Saturday, October 18, 2025
The Term "AI" is Not New and What Today's Media Calls "AI" Isn't Even AI
Only the hype was new... and totally artificial
Gemini Links 18/10/2025: "Planetary Rings", Steam, and PSU Replacement
Links for the day
Links 18/10/2025: Russell Vought in Charge, US Government Leans to Russia Again
Links for the day
Credit Where It's Due: LinuxConfig.org Quit Doing LLM Slop, Back to Original and Real Articles
We waited for a while to say this, now it seems conclusive
Of Note: UbuntuPIT Aware of Critics of Slop, Adds Disclosure of Use of LLMs
We appreciate the honesty
Links 18/10/2025: Madagascar's President Flees and ICE Arrests Protest Comedian Robby Roadsteamer
Links for the day
Richard Stallman Near the European Patent Office (EPO) in 3 Days From Now
It'll be a good opportunity for patent examiners to listen, ask questions, and maybe greet him in person
From Scholar to Booster of Slop (and Even Slop in His Own Blog)
We're going to keep an eye on future posts of his
End of Vista 10 Also Good News for the BSDs
There are many news sites that recommend trying GNU/Linux this month
What's Wrong With Liking Parrots or Birds as Pets?
They'd demonise people for speaking about freedom, no matter what they say or do
10 Days Ago Richard Stallman Gave a Long Interview in French (linuxfr.org)
English translation
Science, Not Fast Food/Junk Food
The commercial exploitation of users won't stop until users exercise full control over their software or - more broadly - their computing (including data)
The Free Software Foundation, Which Has Appointed a 43-Year-Old President, is Looking to Add Another Board Member (or Treasurer)
expect the FSF to add more people
Richard Stallman Confirms Next Week's Talk at Technical University of Munich, We Urge EPO Staff to Attend
That's probably late enough for EPO staff to attend after work
Gemini Links 18/10/2025: Notifications and Geminaut
Links for the day
Many Red Hat People Are Leaving, But It'll Be Framed Publicly as Leaving IBM
Similarly, IBM layoffs (or "RAs" as they're called) include Red Hat layoffs
Expect More Waves of Microsoft Layoffs This Month (at Least Two Rounds Confirmed Already)
From what we can gather, assuming the recent rumours about XBox are true, there will be at least 3 waves of Microsoft layoffs this month alone
Security Issues in Cisco and Jenkins Passed Off as "Linux" Problems
Fear, Uncertainty, Doubt (FUD) tactics
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Friday, October 17, 2025
IRC logs for Friday, October 17, 2025
[Video] Dr. Richard Stallman at Technické Univerzitě v Liberci
New/via libre-liberec.cz
Slopwatch: LinuxSecurity, Linux Journal (Slashdot Media), UbuntuPIT, and Google News (Noise)
egregious plagiarism
Links 17/10/2025: Better Answers Sought After Air Crashes, "China Fans Patriotic Sentiment as Trade War With U.S. Heats Up"
Links for the day
Security is Desirable, But Not When the Term Security is Misused to Imply Centralisation of "Trust" (Whose?)
'Security' is not an excuse for vendor lock-in
Links 17/10/2025: Fentanylware (CheeTok) Causing Problems, Japanese Government Blasts Slop
Links for the day
The Linux Foundation Seems to Have Turned Linux.com Not Only Into a Spamfarm But Also LLM Slopfarm
it's polluting the Web, even important domains like Linux.com, with spam and LLM slop
Links 17/10/2025: UK’s Largest Breach Penalty and Windows TCO Examples
Links for the day
Go Watch Video About Librephone, Get Microsoft Ads
Very ethical company...
Campaign of Defamation Against the People Who Built NixOS (and Are Now Pushed Out From Their Own Project)
We've already grown familiar with - and resistant to - such tactics
Links 17/10/2025: Nestlé Crisis, Canada Post Versus 'Gig Economy' [sic] and Vista 11 Breaks Itself
Links for the day
Tux Machines Has Helped Separate Opinions/Analysis From News
In September 2023 we decided to split things apart and not repeat links in both sites
Tux Machines Has Improved Navigation of GNU/Linux and BSD News
Some more 'wiring' work
What a World Would Look Like If Everyone Used Free Software Only
Freedom is what matters, not "Open".
The Media Helps Microsoft, Amazon and Others (GAFAM and Beyond) Lie About Mass Layoffs Amid Valuation Bubble
The media, instead of saying that there's an "AI bubble" crashing the economy might instead choose the narrative of "jobs replaced by AI"
Bad Tempered? You Might Have Just Given Away That You're Losing the Argument
Brett Wilson LLP is fully aware that it is being investigated
Richard Stallman (RMS) is a Target of Defamation Campaigns Because of His Views on Software (But Politics Are the Excuse for Defaming Him)
Here in this site we try to refrain from politics, except in Daily Links
End of Vista 10 and Rise of GNU/Linux as Client Side Operating System
It seems certain GNU/Linux will grow in popularity over time
Taking Stock of a Week's Worth of EPO Leaks
We remain committed to exposing EPO corruption as long as it keeps happening
Mathieu Parreaux claims FINMA knew since day one
Reprinted with permission from Daniel Pocock
Calumny, Libel, Joerg Jaspert & debian-private untouchable cyberbullies
Reprinted with permission from Daniel Pocock
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Thursday, October 16, 2025
IRC logs for Thursday, October 16, 2025
Techrights Turns 19 in 3 Weeks
coverage of suppressed topics and protecting all sources/whistleblowers
International E-Waste Day Same Day as End of Vista 10
message from Akira Urushibata
The EPO's Central Staff Committee Presents Evidence That Staff Compensation Lowered While the Office Increases Income by Illegally Granting Invalid Patents
These people become millionaires by doing illegal things
Second or Third Wave of Microsoft Mass Layoffs in October 2025, This Time Portugal
Those are just the ones we know about, there may be several more
'Help Net Security' (helpnetsecurity.com) May Have Become a Slopfarm as Well
Zeljka Zorz, Editor-in-Chief at Help Net Security, was reported to us
Gemini Links 17/10/2025: Rant About Network Solutions, Strange Anomaly on Lagrange
Links for the day