Ubuntu / Debian Linux Find Weak OpenSSL keys

by on June 16, 2008 · 2 comments· LAST UPDATED June 16, 2008

in , ,

This bug really was a bad one. I've client with over 200 Debian Linux server. Updating all systems wasn't the problem. With the help of Cfengine I was able to push updates but managing all workstation ssh keys (over 1000+ Windows and Linux/BSD workstations) and testing everything took so much time. Debian shouldn't have modified the package in first place. I also had to upgrade over 30 SSL certificates and a whole new CA for OpenVPN. Luckily VeriSign is providing revocation and replacement of SSL certificates (generally it is not provided free of charge) till 30-June-2008.

How do I find out all weak keys?

You can check all your weak keys with following commands:
# wget http://security.debian.org/project/extra/dowkd/dowkd.pl.gz
# wget http://security.debian.org/project/extra/dowkd/dowkd.pl.gz.asc
# gpg --keyserver subkeys.pgp.net --recv-keys 02D524BE
# gpg --verify dowkd.pl.gz.asc
# gunzip dowkd.pl.gz
# perl dowkd.pl host localhost

You should see 0 weak keys. If you run Debian or Ubuntu Linux upgrade your OpenSSL and fix all the affected softwares. There is also wiki page that will address all your concerns. Overall it lasted for few days for large clients. How many hours did you spend updating Debian systems?

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 2 comments… read them below or add one }

1 Raj June 16, 2008 at 10:59 am

I had to upgrade 2 servers and 5 workstation host ssl keys and openssh keys. It took less than 30 minutes. Can you include tutorial about Cfengine?

TIA

Reply

2 Sean June 16, 2008 at 12:43 pm

Cfengine is a lifesaver. If you’re feeling adventurous it can take care of your keys, too. For those starting out fresh, you might want to look at puppet. It’s much more intuitive than puppet, though a bit less functional (but under constant development). There should be a tutorial coming out in a popular Linux magazine later this summer, too ;)

Sean

Reply

Leave a Comment

Tagged as: , , , , , , , , , ,

Previous post:

Next post: