ssh-vulkey : How to test weak SSH keys on your server

This might be stale news by most security alert people, but I felt compelled to write this post nevertheless. Byy this time most security alert people have realised that a serious security vulnerability has been discovered in the random number generator used by OpenSSL on Debian and Ubuntu systems, and there are a lot of sites have published information about it. [1] [2] [3] [4] [5].

This vulnerability caused OpenSSL to generate “common” and predictable keys, which is easily crackable by using brute-force algorithm. In the extreme case, some of the keys are successfully cracked in 2 hours time. Longer keys 8192-bit RSA keyset might take as short as 129 days to generate as opposed to hundred of years if the keys were generated securely.

Which Ubuntu Linux system are affected ?
As Ubuntu linux operating system is based on Debian, it inherited Debian vulnerability problem. Users who has generated keys under (before updating to the new OpenSSL package via automatic updates, which is before May 13 2008) — Ubuntu 7.04 Ubuntu 7.10 Ubuntu 8.04 LTS are all affected by this vulnerability

Other system which uses the keys generated by Debian and the above mentioned Ubuntu system is also affected as the keys might allow malicious 3rd party user to abuse the system. SSH login which uses these keys will not be considered secure anymore, and are advised to update their SSH keys immediately.

How to check against weak SSH keys ?
A system is as strong as its security measures (in this case, the key) to protect it. By using ssh-vulkey as detailed in Ubuntu Security Notice 612-2, you can detect weak keys in your system, and updates them accordingly.

Run “sudo ssh-vulnkey -a” command to check against weak keys :

ssh-vulnkey -a

ssh-vulnkey -a
Not blacklisted: 2048 fa:2e:1d:a6:84:64:a1:80:c4:31:68:5a:b0:1a:cb:fe /etc/ssh/ssh_host_rsa_key.pub
Not blacklisted: 1024 f4:34:04:85:58:a0:6b:0a:a1:b9:2d:3b:e6:19:5a:76 /etc/ssh/ssh_host_dsa_key.pub
COMPROMISED: 2048 5c:10:8a:c0:55:8c:1f:d9:4b:05:f0:35:0a:0d:2f:5c /home/someuser/.ssh/authorized_keys
Not blacklisted: 2048 a7:b4:3e:41:18:cb:f7:68:5e:4f:ae:30:14:d2:17:fd /home/someuser/.ssh/authorized_keys

More information about OpenSSL in Debian / Ubuntu security vulnerability :