Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 221759 - net-misc/openssh blacklist feature for known weak keys (CVE-2008-0166)
Summary: net-misc/openssh blacklist feature for known weak keys (CVE-2008-0166)
Status: RESOLVED NEEDINFO
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Auditing (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://thread.gmane.org/gmane.comp.se...
Whiteboard:
Keywords:
: 222233 223149 (view as bug list)
Depends on:
Blocks:
 
Reported: 2008-05-11 23:08 UTC by Robert Buchholz (RETIRED)
Modified: 2008-08-26 21:21 UTC (History)
10 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
openssh_4.7p1-blacklist.patch (openssh_4.7p1-blacklist.patch,28.38 KB, patch)
2008-05-14 22:47 UTC, Robert Buchholz (RETIRED)
Details | Diff
openssh_1:4.7p1-10ubuntu1-blacklist.patch (openssh_1:4.7p1-10ubuntu1-blacklist.patch,4.60 KB, patch)
2008-05-14 22:49 UTC, Robert Buchholz (RETIRED)
Details | Diff
openssh-5.0p1-blacklist.patch (openssh-5.0p1-blacklist.patch,16.72 KB, patch)
2008-05-31 09:50 UTC, SpanKY
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-05-11 23:08:12 UTC
As discussed on vendor-sec, the PRNG in Debian and Ubuntu is generating key pairs from a very small key space. This mostly affects openvpn, and openssh. This problem does not directly affect Gentoo, our ssl library does not include the weakness. But Gentoo systems might be affected if users with SSH keys generated on a Debian/Ubuntu after 2006 are allowed to login.

Ubuntu is preparing a patch to implement blacklisting known vulnerable keys inside sshd. I believe we should include that patch in our openssh ebuild as a precautionary measure.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-05-14 17:12:26 UTC
The blacklist feature is introduced with (parts of) this patch:
http://patches.ubuntu.com/o/openssh/openssh_1:4.7p1-10ubuntu1.patch

Since Gentoo is only indirectly affected, and there are tools to check for the existence of bad keys, this is rather an enhancement. Base-system, what are your thoughts on that?
Comment 2 SpanKY gentoo-dev 2008-05-14 17:37:10 UTC
i'm having a hard time picking out what the changes are based on that patch ... it looks like it's a patch against Debian's patched version of openssh

what exactly is the behavior of the proposed changes ?  some program to scan for keys ?  the sshd actively ignoring weak keys ?  a warning when you login ?
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-05-14 18:05:06 UTC
The blacklist feature (still haven't found the actual blacklist on the Ubuntu site yet) will refuse people logging in with known weak keys. I haven't found a readable patch yet.
Comment 4 Mike Doty (RETIRED) gentoo-dev 2008-05-14 18:42:05 UTC
infra would be interested in something like this.  Ideally, it would be controllable via sshd_config to do nothing, warn, or refuse.
Comment 5 SpanKY gentoo-dev 2008-05-14 19:03:01 UTC
exactly ... i dont want a patch that simply disables all keys that are weak.  if your root key happens to be weak, then upgrading ssh just locked you out.  that's no good.

packages.debian.org has an openssh blacklist package
Comment 6 SpanKY gentoo-dev 2008-05-14 19:03:57 UTC
btw, for infra purposes, ive setup a cronjob on most of my machines that scan all ssh keys with the dowkd.pl script the debian guys have ... any user found with a weak key gets an e-mail and their key deleted :)
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2008-05-14 19:04:49 UTC
Sorry, my fault. The patch does not actually introduce this feature yet.

Here's the blacklist:
http://security.debian.org/debian-security/pool/updates/main/o/openssh-blacklist/openssh-blacklist_0.1.1.tar.gz

Here's the ChangeLog:
openssh (1:4.7p1-9) unstable; urgency=critical

  * Fill in CVE identifier for security vulnerability fixed in 1:4.7p1-8.
  * Mitigate OpenSSL security vulnerability (CVE-2008-0166):
    - Add key blacklisting support. Keys listed in
      /etc/ssh/blacklist.TYPE-LENGTH will be rejected for authentication by
      sshd, unless "PermitBlacklistedKeys yes" is set in
      /etc/ssh/sshd_config.
    - Add a new program, ssh-vulnkey, which can be used to check keys
      against these blacklists.
    - Depend on openssh-blacklist.
    - Force dependencies on libssl0.9.8 / libcrypto0.9.8-udeb to at least
      0.9.8g-9.
    - Automatically regenerate known-compromised host keys, with a
      critical-priority debconf note. (I regret that there was no time to
      gather translations.)

 -- Colin Watson <cjwatson@debian.org>  Tue, 13 May 2008 12:33:38 +0100



And here's the (huge) diff:
http://ftp.debian.org/debian/pool/main/o/openssh/openssh_4.7p1-9.diff.gz
Comment 8 Mike Doty (RETIRED) gentoo-dev 2008-05-14 19:25:38 UTC
(In reply to comment #6)
> btw, for infra purposes, ive setup a cronjob on most of my machines that scan
> all ssh keys with the dowkd.pl script the debian guys have ... any user found
> with a weak key gets an e-mail and their key deleted :)
> 

care to share how you did it?  It seems like a reasonable solution until this sshd blacklist patch is available.
Comment 9 SpanKY gentoo-dev 2008-05-14 20:10:00 UTC
#!/bin/sh

export PATH=/usr/local/bin:${PATH}

users=$(
    dowkd.pl -c /var/cache/dowkd.db file /home/*/.ssh/authorized_keys 2>&1 | \
    grep weak | \
    sed \
        -e 's:^/home/::' \
        -e 's:/.*::'
)
for u in $users ; do
    rm -f /home/$u/.ssh/authorized_keys 
    cat <<-EOF | mail -s "weak Debian key detected in your account" $u
    One of your ssh keys on `hostname` has been found to be weak.

    For more information, please review:
    http://lists.debian.org/debian-security-announce/2008/msg00152.html

    Your key has been automatically removed.
    EOF
done
Comment 10 Robert Buchholz (RETIRED) gentoo-dev 2008-05-14 22:47:53 UTC
Created attachment 153175 [details, diff]
openssh_4.7p1-blacklist.patch

The original Debian blacklist patch, extracted from "openssh_4.7p1-9.diff.gz" and resynced against Gentoo's "openssh-4.7_p1-r6"
Comment 11 Robert Buchholz (RETIRED) gentoo-dev 2008-05-14 22:49:51 UTC
Created attachment 153177 [details, diff]
openssh_1:4.7p1-10ubuntu1-blacklist.patch

Ubuntu's bugfix patch, excerpt from openssh_1:4.7p1-10ubuntu1.patch
Comment 12 Mike Doty (RETIRED) gentoo-dev 2008-05-14 23:19:52 UTC
so the info doesn't get lost:  This is how to generate a line for the blacklist file:

ssh-keygen -l -f some_key.pub | awk '{print $2}' | cut -d ':' -f 7- | sed -e 's/://g'

one fingerprint per line, the file sorted.

vapier:  any chance we can get these patches in? maybe use-flag based?
Comment 13 Robert Buchholz (RETIRED) gentoo-dev 2008-05-15 21:51:40 UTC
*** Bug 222233 has been marked as a duplicate of this bug. ***
Comment 14 Robert Buchholz (RETIRED) gentoo-dev 2008-05-16 16:29:54 UTC
vapier, do you have plans to include the patch? Judging from comments here and on the duplicate, there is some user request.
Comment 15 Hubert Mercier 2008-05-16 17:49:30 UTC
Hi,

I confirm : this is a strong user request, since our gentoo servers are vulne
Comment 16 Robert Buchholz (RETIRED) gentoo-dev 2008-05-16 19:27:45 UTC
See the discussion in http://thread.gmane.org/gmane.comp.security.oss.general/409
Comment 17 solar (RETIRED) gentoo-dev 2008-05-16 19:29:23 UTC
(In reply to comment #15)
> I confirm : this is a strong user request, since our gentoo servers are vulne

Hubert, Please clarify what you mean buy what are our servers vuln
Comment 18 echtler 2008-05-17 11:39:51 UTC
I second this request - I think blacklisting would be a handy feature to have.
On our server, we had at least one user with Debian-generated keys, and it took me a while to cobble together a script to check them (didn't look here first, unfortunately :-). In any case, you also wouldn't want to authenticate against a server with a weak host key, so blacklist warnings would be good here, too.
To put things into perspective: a weak key has about the same entropy as a alphanumeric password of a whopping three characters (case-insensitive).

Florian
Comment 19 Robert Buchholz (RETIRED) gentoo-dev 2008-05-18 23:12:07 UTC
For anyone curious, CVE-2008-2285 has been assigned to the issue fixed by openssh_1:4.7p1-10ubuntu1-blacklist.patch.
Comment 20 Hubert Mercier 2008-05-19 12:15:06 UTC
> Hubert, Please clarify what you mean buy what are our servers vuln

Sorry, made a mistake while typing, and didn't notice that my message was not complete.

My situation is the following : a few unix servers on which nearly 2000 students work. Some of these students generated their key with "compromised" openssl engines (ubuntu...). For those users I ran dowkd, and disabled their key "manually". But, since our openssh servers do not have a blacklisting function, I will have to nighlty run this manual check, to avoid future users with compromised keys to authenticate with ?

Integrating the blacklist directly in the openssh server would probably be the most practical solution I think ? Or maybe we have another way to deal with this problem ? Maybe it should be discussed with the openssl dev team ?

Cheers,

Hubert.
Comment 21 Robert Buchholz (RETIRED) gentoo-dev 2008-05-22 08:01:05 UTC
*** Bug 223149 has been marked as a duplicate of this bug. ***
Comment 22 SpanKY gentoo-dev 2008-05-31 09:50:44 UTC
Created attachment 154917 [details, diff]
openssh-5.0p1-blacklist.patch

ive added openssh-blacklist to the tree (but needs arch testing)

this patch is from Owl/Alt ... you can just add to openssh-5.0_p1.ebuild:
epatch "${FILESDIR}"/${PN}-5.0p1-blacklist.patch #221759

if people can test, i imagine i'll add as USE=blacklist ... the default behavior is to allow blacklisted keys but warn ... in the future we can adjust to reject
Comment 23 SpanKY gentoo-dev 2008-06-21 04:52:59 UTC
i wasnt kidding when i said i'm not adding this until i get feedback
Comment 24 Thomas R. (TRauMa) 2008-08-15 14:56:09 UTC
Feedback: patch WFM, but the config file could use a commented out entry for IgnoreBlacklistErrors, and the manpage claims the default for this option to be version, while the default really is all (as you said above, just to remind people). Oh, and a rdepend like "blacklist? ( net-misc/openssh-blacklist )" would be good, too.