debian infrastructure ssh key logins disabled, passwords reset
Peter Palfrader
this email contains several important points. Please read all of it
carefully.
Due to the weakness in our openssl's random number generator (see the
Debian Security Advisory #1571 from a few minutes ago[1]) that affects
among other things ssh keys we have disabled public key auth on all
project systems until further notice.
If you operate a service on debian.org machines that requires key based
auth for instance to transfer stuff between hosts or to push rebuilds
please contact DSA[2] after you verified the keys in question are safe,
or have replaced them. We can enable individual accounts' key based
access.
Export of ssh keys from the LDAP to our machines is currently disabled,
and will be enabled only after we have cleared all ssh keys from the
database and put resonable safeguards in place to prevent people from
uploading bad keys. An announcement will be made on the mailinglist
debian-infrastructure-announce[4] at such time. There is no point
in adding new keys to the ldap right now.
Since the nature of the crypto used in ssh cannot ensure confidentiality
if either side uses weak random numbers[5] we have also randomized all
user passwords in LDAP. Feel free to request a new one using the
standard password recovery procedure[6], but only use the new password
once you have upgraded your client system! (We are upgrading the
servers at this moment.)
We will also have to replace several ssh host keys. We'll try to
keep db.d.o[7] as current as possible. Once we are done a new
list will be posted to dia[4].
We also had to replace the SSL certificate on db.debian.org because
its CA which is operated by Software in the Public Interest (SPI) is
known to have been created with a SSL with the bug. The new SPI
CA can be found at the SPI's secretary page[8], its fingerprints
signed by Joerg Jaspert's GPG key. They are:
SHA1: AF:70:88:43:83:82:02:15:CD:61:C6:BC:EC:FD:37:24:A9:90:43:1C
MD5: 2A:47:9F:60:BB:83:74:6F:01:03:D7:0B:0D:F6:0D:78
[A copy of the cert is available at <URL:http://ca.debian.org/spi-cacert.crt>]
Should you choose not to import SPI's root CA into your brower then
you can just accept the new cert for db.debian.org. Its fingerprints
are:
SHA1: 11:0D:E1:07:19:27:36:22:C5:CD:19:D6:E6:33:44:A2:C6:61:F7:B1
MD5: BA:6C:17:D5:38:52:80:47:A9:7F:32:BE:CF:4C:45:D4
SSL certs for other services will be replaced in the next few
hours/days as time permits.
Thanks,
Your Debian System Administrators
1. http://lists.debian.org/debian-security-announce/2008/msg00152.html
2. debian...@lists.debian.org, or through the request tracker[3]
3. http://wiki.debian.org/rt.debian.org
4. http://lists.debian.org/debian-infrastructure-announce/
5. this is pure speculation on my part, and I'd love to be proven wrong.
Alas, I think I'm right.
6. http://db.debian.org/password.html
7. https://db.debian.org/doc-hosts.html
8. http://www.spi-inc.org/secretary