informationweek.com — US-CERT on Tuesday warned of attacks against Linux computers using compromised SSH keys. SSH (Secure Shell) is a network protocol designed to provide secure network communication via public-key cryptography. According to US-CERT, the attack appears to rely on stolen SSH keys to gain access to a system
Aug 27, 2008 View in Crawl 4
honoredmuleAug 28, 2008
Sorry, I'll lower the voltage.
init100Aug 28, 2008
@senfo"I do not believe that they ship with SSH-key support enabled, by default."They do, like all distributions I have tried. This isn't a problem though, since key authentication is much more secure than password authentication, which is also enabled by default. Actually, sites that care about security rather quickly turn off password authentication in OpenSSH and instead require a key pair to authenticate.Many users use passwords that can easily be defeated by a dictionary attack, and such attempts are very common. I see many of them every day in my SSH server logs, but they all fail since I do not allow password authentication.Key pair authentication on the other hand is extremely safe, unless your key is predictable like with the Debian OpenSSL key generation flaw discovered earlier this year. With proper unpredictable keys finding the right key will take an eternity. The attacker would have to guess the right private key, out of 2^1024 or more (if you use larger key sizes than 1024 bits - I use 2048 bit keys) keys, to successfully break into such an SSH server.
mrnoAug 29, 2008
WOW! This is the best they can do? So your kernel has to be unpatched, you need rootkit installed, and you must use a ssh key without "any" passhrase. DAMN. We got owned. Please try again. Script kiddies.
bigsteveAug 29, 2008
@init100: I know, that was the point of my post. I was advocating keys, else you'll see tons of attempts. Re-read.
stevemaxSep 2, 2008
Exactly, and that is the problem.If all package managers touched bases with upstream, a bug found and corrected by, say, Fedora would find its way in Ubuntu; and a stupid move by Debian would be found by the upstream developers quickly and it wouldn't spell disaster.See that the "bug" "corrected" by that Debian developer (the uninitialized variables used) was discussed to death in the OpenSSH community. Perhaps it could be better commented ("this function will add the contents of an uninitialized variable to a random seed. Since the contents of an uninitialized variable is basically random, this makes the random generator more robust"), but it was assumed that whoever dealt with the code would at least know the basics of a random generator. What caused disaster was a package maintainer messing with code he didn't understand to keep out a warning from the debugger (!!), code reviewers who also didn't understand the code, no communication with upstream, and no review of the diffs by someone with enough knowledge in years. Even a quick email to an upsrtream developer ("hey, did you know you use an uninitialized variable in function XXXX?") would have stopped this from happening ("Of course we do, how else would we get a known-to-be-random initial seed?")
stupotaceSep 2, 2008
Oh well, I guess it's a good thing that I didn't say it was a virus now isn't it?
tripzeroSep 4, 2008
damn, 12345 was my password. Guess it's time to change...me@my-cool-server$ su passwd