digg

Facebook Connect Join Digg About

Linux Systems Being Hit By SSH-Key Attacks

informationweek.com US-CERT on Tuesday warned of attacks against Linux computers using compromised SSH keys. SSH (Secure Shell) is a network protocol designed to provide secure network communication via public-key cryptography. According to US-CERT, the attack appears to rely on stolen SSH keys to gain access to a system

Who dugg this? Made popular Aug 28, 2008

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

143 Comments

show profanity settings
expand all
  • smotpoker, on 08/28/2008, -15/+108What a useless article... No mention of how the keys were stolen or where from.

    For the record, ssh keys are not used by default on any distribution I've ever seen and IIRC, Ubuntu (and likely most other desktop distributions) has SSH server disabled by default.

    For the average Linux desktop user this means in order to be affected you have to:
    -Enable sshd
    -Configure ssh keys for specific users/processes
    -Not update your system regularly and then
    -Give those keys out to someone or leave them on a compromised or vulnerable system (ie a system that is also seldom updated and also uses ssh keys and was compromised using the same method)
  • d3dm, on 08/28/2008, -4/+44My other computer is your Linux box!
  • TruckStuff, on 08/28/2008, -5/+44I know this will come as a shock to most Ubuntu users, but most linux installs are servers that are admin'ed via ssh. Simply turning off sshd isn't an option in many cases.
  • StupotAce, on 08/28/2008, -2/+24An attack against linux? Must be a sign that it's the year of linux.

    ...well, somebody was gonna say it sooner or later.
  • cgibbo, on 08/28/2008, -1/+22Hi! I'm Debian! Here are some random numbers for you:
    1, 4, 12, 7, 1, 4, 12, 7
  • mrjit, on 08/28/2008, -1/+19Yes, they are referring to the home Ubuntu user and not the datacenters with thousands upon thousands of *nix servers.
  • ChronicColonic, on 08/28/2008, -2/+20They should rename the site 'InformationWeak.'
  • Ryanx0r, on 08/28/2008, -2/+19Of course I'm not serious...

    Wow.. sarcasm doesn't fare too well in Digg land.. lesson learned
  • toff72, on 08/28/2008, -1/+18that's problem with randomness, you can never be sure !
  • andycr512, on 08/28/2008, -0/+16jamesmcm: Most SSH servers are fine; it's only ones which the keys leaked from which are threatened. It's like saying people should quit using GMail altogether because 3 people who have accounts on it gave away their passwords.
  • dondara, on 08/28/2008, -0/+16Eh, threat to mis-configured servers. Really, if this takes your machine down, something else was going to anyway.
  • AmaDaden, on 08/28/2008, -2/+17"No mention of how the keys were stolen or where from."

    I believe the keys in question are the the ones generated during the Debian SSH issue a few months ago. For Ubuntu if you updated to fix this key issue the updater would (if you let it) regenerate your SSH keys.

    Yes this is getting WAY blown out of proportion. All Linux security is. This is likely do to the "masturbating monkeys" (http://article.gmane.org/gmane.linux.kernel/706950 ... who consider every securtiy hole the-worst-thing-that-has-happened-ever-oh-dear-god-it's-been-10-minutes-why-isn't-it-fixed-yet. Also any linux security bug is a reason for windows and mac people to point and say "look how bad linux security is!"

    Security bugs happen to every program and every OS. They tend to get fixed far quicker then the patch is actually pushed out. I bet this little issue will still be a problem for a hand full of computers in another 5 years just like there are still a few windows 95 computers on the net trying to send Michelangelo (http://en.wikipedia.org/wiki/Michelangelo_(virus))
  • db113456, on 08/28/2008, -2/+16Now it does look like the source of the stolen keys is the debian related ssh key generation entropy reduction affected keys ... if that is the case, the the likelihood of any success are very low, partly due to the high profile of that issue, and the wide spread ripple effect of patching and new key generation that took place. I don't think any of the compromised 64000 or so keys are in use today. If they however stole keys from somewhere else, than that could be a different story. Even then, most admins i know, just generate a key-pair on the spot and use it for authentication and not use their usual e-mail etc.. singing keys
  • RTFishUL, on 08/28/2008, -2/+15and make sure that venus is in line with jupiter during a blue moon.
  • Onestone, on 08/28/2008, -0/+13Why?
  • IphtashuFitz, on 08/28/2008, -0/+13ssh keys aren't merely a method of logging in without a password. Indeed, you can set a passphrase on an ssh key so that it you still need to type in the equivalent of a password. ssh keys give you added security if you desire it (and take advantage of it). One simple case in point: You can tell the ssh daemon to disallow root logins via a password and only via an ssh key. In doing that you effectively improve security of the system so that even brute-force attacks against the root account will fail (root password from the console would still work, so you could always log in if you're physically at the computer). The only way you'd be able to log in remotely as root would be if you had the ssh key, and hopefully that ssh key has a passphrase associated with it.

    You can also associate a specific command with a key, so if you have an automated script that needs to log in and execute a command you can restrict the key so only that command can be executed. ssh keys can be very powerful and provide excellent security if you know the proper way to use them. Unfortunately it seems the many people just use them to avoid having to enter passwords, which is why this attack is proving successful.
  • Drahkar, on 08/28/2008, -4/+14Its not really a vulnerable kernel. The people in question -have- the keys. They just setup an account and connect to a box with those keys configured. They are trying to make a huge issue out of it like its a code security hole when in reality its a human sucrity hole. If you are dumb enough to give out your key to someone, you deserve to get hacked.
  • ElectricKetchup, on 08/28/2008, -1/+10>"No mention of how the keys were stolen or where from."

    RTFA to the rescue!

    "SANS Internet Storm Center handler John Bambenek in a blog post said that the weak key vulnerability identified in Debian-based systems a few months ago could be one source of compromised SSH keys."
  • neowolfwitch, on 08/28/2008, -1/+10I have to agree with what others have already said. This wouldn't very likely affect ANY desktop user, only those with mis-configured servers. If a sysadmin is living under a rock and didn't update a debian-based server after the very-highly-publicized security warnings, or if they don't secure their keys appropriately- then they probably deserve to be a victim of this attack.

    Generally such keys should only be available to someone with root access, and if someone already has that level of access- you've got a lot more problems than just this exploit.
  • DteK, on 08/28/2008, -3/+11no my friend, ***** you, ***** you in the ass and mouth.
  • bigsteve, on 08/28/2008, -0/+8Leave port 22 open on a *nix machine with SSH running (without keys) over a weekend, and look at the logs later to see why this is a good idea :) Lots of ***** poking around out there.

    And keeping root login off is always a good idea, because that's one username every system will have. Let the bastards guess a username and a password.
  • df12, on 08/28/2008, -1/+9I have a feeling your definition of "Server" isn't what Truckstuff is referring to. But that's besides the point now isn't it......
  • inactive, on 08/28/2008, -0/+8There are no stolen SSH keys. The rootkit is targeting keys and then giving them to the attacker. This is a common practice with rootkits and thus is pointless to mention unless the intent is to scare people. Buried as inaccurate.
  • tomarocco, on 08/28/2008, -3/+10...as all the MCSE's reading this article think to themselves: "What the hell is SSH?"
  • dougmc, on 08/28/2008, -1/+8Probably nothing. It really has little to do with the kernel. (I would say it has nothing to do with the kernel, but a rootkit does have something to do with it ...)
  • HonoredMule, on 08/28/2008, -0/+6Sorry, I'll lower the voltage.
  • Huangism, on 08/28/2008, -9/+15***** right! you know you want it
  • Culyt, on 08/28/2008, -2/+8You can try SSH over an encrypted VPN if your really tinfoilhat (unrelated point: tinfoilhats actually make you more vulnerable to mind control/reading).

    I would also recommend changing the port number of your SSH server, this is security though obscurity, and despite common misconceptions its actually a *GOOD* thing. Its *not good* to *rely* on security though obscurity but having obscurity *in addition to regular security* improves overall security.

    You can never get every hole, but you can cut down your chances of getting hit my an automated non-specific attack since they will be looking for port 22 as port scanning and service fingerprinting systems is not worth while.

  • kaelyiesta, on 08/28/2008, -0/+6You do realize that the wheels of the internet often run on linux? Whether or not its your OS of choice for personal computers, linux is often above the rest when it comes to servers.
  • IphtashuFitz, on 08/28/2008, -0/+5Even if you use ssh keys you should always use a passphrase with the key, especially root ssh keys. And the passphrase should be as secure as any other password, not just "1 2 3 4 5". If you need to use an ssh key without a passphrase for some automated task then create an unprivileged user account with its own ssh key for the task to run under. That way even if somebody manages to get a copy of the public key they're severely limited in what they can do.
  • 0x1B, on 08/28/2008, -1/+6It's a bit of a long shot, for sure, unless you've got a wide-open machine sitting off your cable modem or something.

    I can't find any details about the rootkit, but I wonder if it needs any build tools. Might be good to create a user account which can't log in, call it 'build' or something. Then make sure only root and the build user can use make, gcc, all the libs, etc. Remount /tmp as noexec might help, though they mention the kit creates a directory called /etc/khubd.p2. I wonder if creating a regular, empty file with that same name beforehand and then chmodding it to 000 would work. I don't know if the directory is created or populated as root or whatever. But perhaps it won't be able to overwrite files or some such. Worth a look maybe.

  • smotpoker, on 08/28/2008, -7/+12-Be running a vulnerable kernel (not sure what sort of exploit or which kernels are affected by it)*
  • johndavidjack, on 08/28/2008, -0/+5Man, what? Only noobs use SSH!
    Real men keep a root-bash shell piped over netcat open on their servers!
    ./configure --D-GAPING-SECURITY-HOLE
  • DteK, on 08/28/2008, -1/+6johndavidjack, the idiot who doesnt know the difference between an OS and a kernel
  • db113456, on 08/28/2008, -0/+5Signing keys , like signature ....
    obviously a typo and the spellchecker did not catch it :-)
  • pault107, on 08/28/2008, -0/+4Troll. Check his comment history:

    http://zuubu.pcriot.com/?username=heilhitler&selec ...

    This is the same guy that was all over Digg yesterday and got banned. He spreads his vile filth looking for a response. But he's a bit more dangerous than that - DO NOT CLICK ON ANY OF HIS LINKS. Some lead to a virus, some lead to browser hijacks. Just report him and move on.
  • bemenaker, on 08/28/2008, -0/+4How about realizing he was being a little sarcastic. And with Ubuntu being a fav amongst newbies, it is fair to point out that by default, Ubuntu does not install sshd.
  • hashinclude, on 08/28/2008, -0/+4Hmm .. windows is superior in the way the KKK is superior?
  • inactive, on 08/28/2008, -0/+4The updates included blacklisting the bad keys and regenerating keys so that is not true.
  • SteveMax, on 08/28/2008, -0/+3Note that the SSH problem didn't happen a few months ago: it was corrected a few months ago. The bug has been there since 2006 (see the exact moment of its introduction at http://svn.debian.org/viewsvn/pkg-openssl/openssl/ ... )

    This means there is a whole lot of compromised machines out there. But this is not a Linux problem, it's a problem with the Debian mentality ("let's fork the code as we want and never talk to upstream about problems, because of course we know their code better than themselves!").
  • Culero, on 08/28/2008, -1/+4that was blatantly /s, too.
  • mrno, on 08/29/2008, -0/+3WOW! This is the best they can do? So your kernel has to be unpatched, you need rootkit installed, and you must use a ssh key without "any" passhrase. DAMN. We got owned. Please try again. Script kiddies.
  • inactive, on 08/28/2008, -3/+6stick to reddit, sarcasm and intellect are allowed there.
  • inactive, on 08/28/2008, -1/+4it doesnt matter if you update regularly, if you generate a vulnerable key, it stays generated..
    you have to regenerate all new keys after upgrading

    (it mentions the keys were most likely 'stolen' (faked) thanks to an ssl/ssh random number generation flaw a few months back)

  • raydeen, on 08/28/2008, -1/+4And they do NOTHING!!!
  • vat0r, on 08/28/2008, -0/+3My thoughts exactly.
  • rowjimmy, on 08/28/2008, -0/+3it's kind of funny, really. sometimes i'll have my router forwarding 22 to a certain box, so that i can ssh tunnel from work to access my daap share. then a few days later, i'll look at swatch_rejects and it'll be filled to the brim :)
  • inactive, on 08/28/2008, -1/+4It is funny that you are getting buried. I too have noticed a pattern of articles this week attempting to give Linux a bad image. Every article headline was totally unrelated to the actual article, just like this one. Propaganda/PR is a full time job for many so I am actually surprised we don't see more of this type of social engineering.
  • bemenaker, on 08/28/2008, -0/+3Not to split hairs, cuz you are absolutely right, but most of us understand that and know that linux means GNU/linux.
  • TruckStuff, on 08/28/2008, -0/+3The Internet runs on tubes, not wheels. Duh...
  • Fetching more discussions...
    Show 51 - 100 of 144 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...

© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.