Comments on: OpenSSL & OpenSSH Vulnerabilities : Confirm & Fix Instructions

By: Iñaki Silanes

Iñaki Silanes — Tue, 30 Sep 2008 11:02:48 +0000

Luciano says:

“Hey,
I would like to make you a little but important correction.

> If you do not see “weak key”
> reported then you are OK.’

That’s not totally true. dowkd.pl is really susceptible to have false positives.”

Well, either the message is not correctly phrased, or it is wrong. If dowkd.pl is susceptible to have false positives, it means that it will sometimes have a positive (it will DO say “weak key”), while the key not being really weak (hence, a “false” positive).

What Florian seems to imply is that dowkd.pl has false NEGATIVES: it sometimes says nothing (implying all keys are correct), but this is false (some might be weak).

A positive test is one in which the testing device “ticks”, and a negative one one in which the testing device remaints “silent” (regardless of what ticking or remaining silent imply).

By: Projektd

Projektd — Thu, 17 Jul 2008 02:19:05 +0000

Thanks! I needed this. Worked Great.

By: Gravin

Gravin — Tue, 27 May 2008 05:04:37 +0000

Thanks!

By: Christer Edwards

Christer Edwards — Mon, 19 May 2008 23:17:27 +0000

@Rafael – you should be seeing a new openssh upgrade soon that will include an openssh blacklist and the new vulnkey tool. This was not included in the first batch of patches. My guess is your mirror isn’t up to date just yet.

Also, (see: man ssh-keygen), “DSA keys must be exactly 1024 bits as specified by FIPS 186-2.”, which is why you get that output.

By: Gecko

Gecko — Mon, 19 May 2008 16:07:35 +0000

Thank you so much for your help on this. As a relative newbie, I wasn’t too sure what the heck I was supposed to do other than update in the face of this issue. Thanks again.

By: Rafael

Rafael — Mon, 19 May 2008 11:43:16 +0000

I have followed all the instructions but I have two problems:

1)I don’t have the tool: ssh-vulnkey

2)When I run ./dowkd.pl host , I get the following error:
server: 2048 bits DSA key not recommended

¿any idea?

Thnks in advance

By: Thomas

Thomas — Fri, 16 May 2008 06:10:17 +0000

Oh the irony, a fix for a security vulnerability that downloads a script using HTTP and then runs it…

Download the signature too, then verify it!

wget http://security…./dowkd.pl.gz.asc
gpg dowkd.pl.gz.asc

You’ll probably get a ‘key not found’ error. Import the key (it’ll tell you the RSA key ID):

gpg –recv-keys 02D524BE

Now when you run it again. It should tell you that the signature matches, but that the key is untrusted.

Now the real fun begins

You need to verify the key signature, then you need to decide if you actually trust this “Florian Weimer” guy, and _THEN_ you can run the script!
(I can tell you, but that’d be pointless ‘cos then you’d have to decide whether or not you trust me

Security is NOT easy, but failing to do the above means that you’re on par with the guy who runs “WindowsSecurityPatch.exe” attachments he gets in the mail.

By: Yazz D. Atlas

Yazz D. Atlas — Thu, 15 May 2008 18:28:08 +0000

!/bin/bash
wget http://security.debian.org/project/extra/dowkd/dowkd.pl.gz && \
gzip -d dowkd.pl.gz && \
for i in $(/bin/ls -1 /home ); do perl dowkd.pl user $i; done && \
for i in $(/bin/ls -1 /etc/ssh/*.pub) ; do perl dowkd.pl file $i; done

By: Nick M

Nick M — Wed, 14 May 2008 20:12:45 +0000

Wow, thanks! I think I just found my new favorite Ubuntu site!

By: Manfred

Manfred — Wed, 14 May 2008 14:40:08 +0000

When I tried your script I got the following message:

./dowkd.pl user
/home/jonny/.ssh/authorized_keys:1: warning: unparsable line

Is that indicating a problem?