SSH Keys Generated on Debian/Ubuntu Compromised
A security warning posted on the Debian security list today warns that SSH keys generated on Debian based systems (including Ubuntu) have a highly predictable random number generator. This corroborates…
A security warning posted on the Debian security list today warns that SSH keys generated on Debian based systems (including Ubuntu) have a highly predictable random number generator. This corroborates what we’ve been seeing here at GitHub.
Luciano Bello discovered that the random number generator in Debian’s
openssl package is predictable. This is caused by an incorrect
Debian-specific change to the openssl package (CVE-2008-0166). As a
result, cryptographic key material may be guessable.This is a Debian-specific vulnerability which does not affect other
operating systems which are not based on Debian. However, other systems
can be indirectly affected if weak keys are imported into them.It is strongly recommended that all cryptographic key material which has
been generated by OpenSSL versions starting with 0.9.8c-1 on Debian
systems is recreated from scratch. Furthermore, all DSA keys ever used
on affected Debian systems for signing or authentication purposes should
be considered compromised; the Digital Signature Algorithm relies on a
secret random value used during signature generation.
We STRONGLY recommend that you discontinue use of any keys generated under this configuration and update your GitHub keys after you’ve patched your Debian based system.
Written by
Related posts
2024 is the biggest global election year in history. What’s at stake for developers?
GitHub is considering what is at stake for our users and platform, how we can take responsible action to support free and fair elections, and how developers contribute to resilient democratic processes.
GitHub named a Leader in the Gartner first-ever Magic Quadrant for AI Code Assistants
This year, as part of its annual Magic Quadrant series, Gartner published a first-of-its-kind report analyzing the state of play in the AI Code Assistants market–and named GitHub a Leader.
Survey: The AI wave continues to grow on software development teams
We surveyed 2,000 people on software development teams at enterprises in the U.S., Brazil, India, and Germany about the use, experience, and expectations around generative AI tools in software development.