Holes in ssh are always a big deal
As everything relies on it


I view holes in ssh as a “big deal”, so today’s announcement of a major hole in ssh sent chills down my spine. While any attack against it would have to be sophisticated - involving the compromise of the ssh server itself in the first place - there are plenty of attacks and high value targets out there.

A single malicious server that I have talked to - say for example - one implanted at github - could have leaked my private keys for my own servers and services. Or vice versa.

I talk to a lot of ssh servers. Unlike some, I rely on very few other forms of infrastructure besides ssh - the command line is my friend, and I script a lot of things. I have nailed up tunnels, backup servers, and other services all basically secured by ssh - which, given the constant churn in TLS security, I was happy with, until today. In all my planning not once did I envision a server side hole that could leak my private client keys.

I will regard this as an “oops” on my part - what I should have been doing is generating a unique public keypair per public service I’d been interoparting with. That way only that key could have been compromised.

First up - close the barn door

This is, in part, a client side vulnerability - so first - close up the client by adding the right stuff to the ssh_config files everywhere. Or (as it turned out) doing an apt-get update; apt-get upgrade; everywhere. I am so happy that the major distro vendors handle this sort of thing rapidly and efficiently.

Terriffic, you are no longer vulnerable.

But had you exchanged any traffic with a compromised server in the past your keys could have been exposed, so now you need to revoke them all! And can you still trust any of your servers elsewhere?

Regenerate all the keys

But it’s worse than that - now I need to remember everywhere I have a passwordless login…

Fortunately for many things I have a pdsh implementation so I can push out changes easily. I use quite a few accounts worldwide, though, and after`

One of my long term concerns is the quality of random number generation on ssh-keygen on virtual hosts. I don’t know what to do about that.

It’s a bad idea to have cut myself off from something I’ve forgot about, so I set up an at job to delete my old keys after a month

I do wish ssh had TOFU (trust on first use) - it would help… ‘cause now I have to wipe out .known_hosts everywhere.

The rathole goes on and on and on.

Find me elsewhere.

Best of the blog Uncle Bill's Helicopter - A speech I gave to ITT Tech - Chicken soup for engineers
Beating the Brand - A pathological exploration of how branding makes it hard to think straight
Inside the Internet Mind - trying to map the weather within the global supercomputer that consists of humans and google
Sex In Politics - If politicians spent more time pounding the flesh rather than pressing it, it would be a better world
Getting resources from space - An alternative to blowing money on mars using NEAs.
On the Columbia - Why I care about space
Authors I like:
Doc Searls
Jerry Pournelle
The Cubic Dog
David Brin
Charlie Stross
Eric Raymond
Anonymous
WikiLeaks
The Intercept
Chunky Mark
Brizzled
Dan Luu's rants about hardware design
Selenian Boondocks
Transterrestial Musings
Callahans

January 14, 2016
454 words


Tags
security