Non-working GNOME SSH keys

Read this if you have a GNOME (ssh) account and it isn’t working and you want to know why.

Due to Debian security issue we’ve locked down the machines for public key authentication. See the announcement by Guilherme de S. Pastore to devel-announce-list. Please ensure you’re subscribed to that list (as we expect people to be)! Generally announcements are spread via Planet GNOME as well, but that is more of an extra service.

Please contact accounts@gnome.org if you have either:
* Used a DSA key on a Debian/Ubuntu machine affected by the security issue
* Generated a DSA/RSA key on an affected Debian/Ubuntu machine

Note: If you have a DSA key generated on a non-Debianb/Ubuntu (e.g. Red Hat) distribution (or whatever) and used it on a affected Debian/Ubuntu machine (meaning: ssh’ed from that machine, not to such a machine), you are affected as well. So please replace your key in such cases as well.

Current plan: We’ll (well, Owen) remove all blacklisted SSH keys that we can find and inform affected people. This to avoid greatest security issues. Not sure yet what we’ll do about the DSA keys (they could be compromised now or in future whenever they’re used on an affected Debian/Ubuntu machine).

Closing: I’m unfortunately way too busy to really help the sysadmins working on this.. plus the accounts people replacing the SSH keys. Thanks to everyone who’s helping.

3 thoughts on “Non-working GNOME SSH keys”

  1. “Note: If you have a DSA key generated on a non-Debianb/Ubuntu (e.g. Red Hat) distribution (or whatever) and used it on a affected Debian/Ubuntu machine (meaning: ssh’ed from that machine, not to such a machine), you are affected as well. So please replace your key in such cases as well.”

    Care to explain this? I’m not sure I understand what you mean. Thank you.

  2. Giacomo: See http://wiki.debian.org/SSLkeys. Don’t have time to explain fully. But basically, using DSA to SSH from an affected Debian/Ubuntu system could result in your SSH private key being compromised/calculated. This is due to the inner workings of DSA (this is why it is limited to DSA and not RSA).

    Quoting from the url:
    “compromise of other keys or passwords that were transmitted over an encrypted link that was set up using weak keys. Note that this last point means that passwords transmitted over ssh to a server with a weak dsa server key could be compromised too; see the Debian project’s reaction to this.”

    Of course, all keys generated on affected Debian/Ubuntu systems are bad.

  3. Thank you. I missed that part when I first read the page. Or maybe it wasn’t there yet.

Comments are closed.