Sun, 18 May 2008
Removing bad SSH keys
GNOME has reacted and removed all blacklisted SSH keys from their authorized_keys, which is the minimum you should do to ensure safety.
For all I know, sourceforge.net has not yet done so (I didn't check if I could have logged in with my old key, though - maybe they installed the blacklist in the SSH server, not touching the users' keys; there is no blacklist in /etc/ssh though). authorized_keys files are world-readable, so I can login at sourceforge and read other users' authorized_keys. With this approach I believe you could hack dozens of SSH accounts on Sourceforge within a few hours, without having to employ brute-force.
These keys could then be used in turn to inject backdoors and/or trojans into other OpenSource projects (where at least one developer with write access did use a vulnerable key).
If you were affected by the Debian OpenSSL bug, please replace your SourceForge key as soon as possible. Please verify any commits made on SourceForge until they've taken appropriate measures to block bad keys.
SourceForge and other operators of such platforms should install blacklists NOW, and remove any vulnerable keys from their databases.
[planet.debian]
[planet.xmlhack]
[planet SELinux]
[munichblogs]
[email]
[RSS 2 feed]
[English RSS 2]
2010-Mar
2010-Feb
2010-Jan
2009-Dec
2009-Nov
2009-Oct
2009-Sep
2009-Aug
2009-Jul
2009-Jun
2009-May
2009-Apr
2009-Mar
2009-Feb
2009-Jan
2008-Dec
2008-Nov
2008-Oct
2008-Sep
2008-Aug
2008-Jul
2008-May
2008-Apr
2008-Mar
2008-Feb
2008-Jan
2007-Dec
2007-Nov
2007-Oct
2007-Sep
2007-Aug
2007-Jul
2007-Jun
2007-May
2007-Apr
2007-Mar
2007-Feb
2007-Jan
2006-Dec
2006-Nov
2006-Oct
2006-Sep
2006-Aug
2006-Jul
2006-Jun
2006-May
2006-Apr
2006-Mar
2006-Feb
2006-Jan
2005-Dec
2005-Nov
2005-Oct
2005-Sep
2005-Aug
2005-Jul
2005-Jun
2005-May
2005-Apr
2005-Mar
2005-Feb
2005-Jan
2004-Dec
2004-Nov
2004-Oct
2004-Sep
2004-Aug
2004-Jul