Regenerating SSL and SSH keys after security bug in Debian's OpenSSL package was found

755 views
Skip to first unread message

Michael Hanselmann

unread,
May 14, 2008, 9:02:49 AM5/14/08
to gan...@googlegroups.com, Ganeti Development List
Hello

Yesterday, a very critical bug in Debian's OpenSSL package was made
public ([1], CVE-2008-0166). New packages have been uploaded by at
least Debian and Ubuntu. Please upgrade all your systems and
regenerate SSL, SSH, HTTPS and other affected keys (basically
everything using OpenSSL). Please see your distribution's website for
more information.

Debian:
http://www.us.debian.org/security/
http://www.us.debian.org/security/2008/dsa-1571
http://lists.debian.org/debian-security-announce/2008/msg00152.html

Ubuntu:
http://www.ubuntu.com/usn/
http://www.ubuntu.com/usn/usn-612-1
http://www.ubuntu.com/usn/usn-612-2
http://www.ubuntu.com/usn/usn-612-3
http://www.ubuntu.com/usn/usn-612-4

Ganeti uses OpenSSL for encryption on the RPC layer and SSH for
executing commands. The SSL certificate is automatically generated
when the cluster is initialized and it's copied to added nodes
automatically together with the master's SSH host key.

The files listed below need to be regenerated or modified on every
Ganeti node. Paths may vary depending on your distribution. In
general, modifications should be done on the master node and then
distributed to all nodes of a cluster (possibly using a pendrive — but
don't forget to use "shred" to remove files securily afterwards).

(1) /etc/ssh/ssh_host_*
Depends on your distribution. For example, Debian automatically
regenerates the host keys when upgrading to the new package. Make sure
to copy the master's SSH host keys to all other nodes.

(2) ~root/.ssh/id_dsa*
Run this command to rebuild it:
ssh-keygen -t dsa -f ~root/.ssh/id_dsa -q -N ""

(3) ~root/.ssh/authorized_keys
Edit file and update it with the newly generated root key.

(4) /var/lib/ganeti/server.pem
Run the following command to generate a new key:
chmod 0600 /var/lib/ganeti/server.pem &&
openssl req -new -newkey rsa:1024 -days 1825 -nodes \
-x509 -keyout /var/lib/ganeti/server.pem \
-out /var/lib/ganeti/server.pem -batch &&
chmod 0400 /var/lib/ganeti/server.pem &&
/etc/init.d/ganeti restart

(5) /var/lib/ganeti/known_hosts
Edit file and update with newly generated SSH host key.

In the end, the files mentioned above should be identical for all
nodes in a cluster. Also do not forget to run "gnt-cluster verify".

Regards,
Michael

Michael Hanselmann

unread,
May 14, 2008, 10:20:09 AM5/14/08
to gan...@googlegroups.com, Ganeti Development List
2008/5/14 Michael Hanselmann <han...@google.com>:

> Yesterday, a very critical bug in Debian's OpenSSL package was made
> public ([1], CVE-2008-0166). New packages have been uploaded by at
> least Debian and Ubuntu. Please upgrade all your systems and
> regenerate SSL, SSH, HTTPS and other affected keys (basically
> everything using OpenSSL). Please see your distribution's website for
> more information.

See also http://wiki.debian.org/SSLkeys.

Regards,
Michael

Reply all
Reply to author
Forward
0 new messages