debian infrastructure ssh key logins disabled, passwords reset

From: Peter Palfrader <weasel-AT-debian.org> To: debian-devel-announce-AT-lists.debian.org Subject: debian infrastructure ssh key logins disabled, passwords reset Date: Tue, 13 May 2008 15:45:42 +0200 Message-ID: <20080513134542.GA9467@intrepid.palfrader.org> Archive-link: Article, Thread

Hi, this email contains several important points. Please read all of it carefully. Due to the weakness in our openssl's random number generator (see the Debian Security Advisory #1571 from a few minutes ago[1]) that affects among other things ssh keys we have disabled public key auth on all project systems until further notice. If you operate a service on debian.org machines that requires key based auth for instance to transfer stuff between hosts or to push rebuilds please contact DSA[2] after you verified the keys in question are safe, or have replaced them. We can enable individual accounts' key based access. Export of ssh keys from the LDAP to our machines is currently disabled, and will be enabled only after we have cleared all ssh keys from the database and put resonable safeguards in place to prevent people from uploading bad keys. An announcement will be made on the mailinglist debian-infrastructure-announce[4] at such time. There is no point in adding new keys to the ldap right now. Since the nature of the crypto used in ssh cannot ensure confidentiality if either side uses weak random numbers[5] we have also randomized all user passwords in LDAP. Feel free to request a new one using the standard password recovery procedure[6], but only use the new password once you have upgraded your client system! (We are upgrading the servers at this moment.) We will also have to replace several ssh host keys. We'll try to keep db.d.o[7] as current as possible. Once we are done a new list will be posted to dia[4]. We also had to replace the SSL certificate on db.debian.org because its CA which is operated by Software in the Public Interest (SPI) is known to have been created with a SSL with the bug. The new SPI CA can be found at the SPI's secretary page[8], its fingerprints signed by Joerg Jaspert's GPG key. They are: SHA1: AF:70:88:43:83:82:02:15:CD:61:C6:BC:EC:FD:37:24:A9:90:43:1C MD5: 2A:47:9F:60:BB:83:74:6F:01:03:D7:0B:0D:F6:0D:78 [A copy of the cert is available at <URL:http://ca.debian.org/spi-cacert.crt>] Should you choose not to import SPI's root CA into your brower then you can just accept the new cert for db.debian.org. Its fingerprints are: SHA1: 11:0D:E1:07:19:27:36:22:C5:CD:19:D6:E6:33:44:A2:C6:61:F7:B1 MD5: BA:6C:17:D5:38:52:80:47:A9:7F:32:BE:CF:4C:45:D4 SSL certs for other services will be replaced in the next few hours/days as time permits. Thanks, Your Debian System Administrators 1. http://lists.debian.org/debian-security-announce/2008/msg... 2. debian-admin@lists.debian.org, or through the request tracker[3] 3. http://wiki.debian.org/rt.debian.org 4. http://lists.debian.org/debian-infrastructure-announce/ 5. this is pure speculation on my part, and I'd love to be proven wrong. Alas, I think I'm right. 6. http://db.debian.org/password.html 7. https://db.debian.org/doc-hosts.html 8. http://www.spi-inc.org/secretary