Vi segnalo questa interessante lettura:
Zak B. Elep: OpenSSL OuchI won't repeat it here, but there's DSA-1571-1 waiting for you attention, especially if you made some material out of
opensslover the last couple of years or so. Yes, you read it right: COUPLE.Upgrading to the new OpenSSL is easy. Generating new keys is another story.
To save (or add to, depending on how you handle this) your pain, there is a simple checker that can currently see if your OpenSSH or OpenVPN public keys are weak enough to warrant replacement. I await a version that can handle X.509 certificates too (though I only just generated a new one today, before the announcement, so that means I have to do it again (and get its CSR to CACert for signing, etc.)
And yeah, if you're running openssh-server, consider regenerating your host RSA and DSA keys, e.g.:
# mv /etc/ssh/ssh_host_{dsa,rsa}_key* /some/place/else # dpkg-reconfigure -plow openssh-serverThat should regenerate your keys and restart openssh-server once the new keys are installed to
/etc/ssh.The hard part (of making sure all the keys of your systems are updated and tested) is still up to you, however.
Articoli (RSS)