Security breach at kernel.org

graudeejs · #1 **(View Single Post)** 1st September 2011

Quote:

An unknown attacker managed to obtain root privileges for some of the most important servers at kernel.org – the main distribution site for the Linux kernel and for a variety of Linux-related software. The web site's news section shows that the administrators detected the intrusion on 28 August.

http://www.h-online.com/open/news/it...g-1334642.html

comet--berkeley · #2 **(View Single Post)** 7th September 2011

Yesterday the Register reported that Linus Torvalds, creator of Linux, stopped using kernel.org.

http://www.theregister.co.uk/2011/09...el_for_github/

Apparently the breach of kernel.org is related to a bug in the Debian Linux random number generator which greatly reduced the number of SSH keys that a cracker needs to try:

http://www.theregister.co.uk/2011/08...curity_breach/

http://www.theregister.co.uk/2008/08...tacks_warning/

Sadly, Debian is also the base for Ubuntu and many other Linux distributions so they all had this bad random number generator.

It is not enough to fix the Linux systems. The old SSH keys (public,private, etc.) need to be regenerated and redistributed after the fix as well...

Carpetsmoker · #3 **(View Single Post)** 7th September 2011

The report from the flawed debian prng is from 2008. I find it hard to believe it hasn't been fixed 3 years later ...

BSDfan666 · #4 **(View Single Post)** 7th September 2011

Well, it did require that people regenerate their keys.. so it's a possibility, but kernel.org would also have had to been using an older version of openssh, as I believe newer versions have the keys blacklisted.

comet--berkeley · #5 **(View Single Post)** 8th September 2011

Apparently all DSA keys created on a old Debian systems should be considered a liability.

http://rdist.root.org/2009/05/17/the...at-almost-was/

The Debian Security Advisory includes the following language:

"...all DSA keys ever used on affected Debian systems for signing or authentication purposes should be considered compromised"

http://www.debian.org/security/2008/dsa-1571

I went out to Google to see how to generate SSH keys ( search on: make ssh keys ).
Many of the articles suggest using ssh-keygen with DSA like this:

ssh-keygen -t dsa

http://pkeck.myweb.uga.edu/ssh/

http://www.cyberciti.biz/tips/ssh-pu...on-how-to.html

How many Debian/Ubuntu users created ssh keys like this and then did not change them?

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
RSA breach leaks data for hacking SecurID tokens	J65nko	News	1	25th March 2011 03:57 PM
PHP.net breach: Concern over safety of source code	J65nko	News	2	24th March 2011 09:57 AM
*AMP Security: suPHP and CGI	classicmanpro	NetBSD General	1	14th February 2011 10:46 PM
Tor Project infrastructure updates in response to security breach	J65nko	News	1	22nd January 2010 06:57 PM