[ILUG] serious Debian/Ubuntu security hole found
David Golden
david.golden at unison.ie
Wed May 14 15:57:50 IST 2008
On Wednesday 14 May 2008, Niall O Broin wrote:
> And just to add some fun - a tool is available at http://
> security.debian.org/project/extra/dowkd/dowkd.pl.gz to check some
> passwords. This tool fails on Ubuntu dapper (which is not a
> vulnerable distribution, but I was testing a bunch of keys on a
> dapper box) when called with the user option. This SHOULD loop
> through all users, but instead it repeatedly checks root.
>
>
> Niall
debian/ubuntu have now packaged up a nicer "ssh-vulnkeys" tool that
will check the keys, though of course it can only check
known-bad ones. Their openssh packages now depend on it, and can use it
to autocheck.
I've been paranoid enough* to impose basic ssh connection rate limiting
(i.e. < n connections per min per ip) for quite a while, due to
rampant password-type brute forcing attempts. But... how many
different public keys does an ssh server allow a client to try
on one opened connection?
* Apparently not paranoid enough to audit package sources or even just
distro changes from the likes of Debian though... :-(
More information about the ILUG
mailing list