SSH host key vulnerability


Last week, it came to our attention that some Bytemark servers which were provisioned with certain, recent Linux distributions share some of the same SSH host keys.

During the server imaging process, SSH host keys were routinely being removed and regenerated but certain keys from the imager remained in place.

This by itself is not a major cause for concern, but it is possible that affected servers are more vulnerable to man-in-the-middle attacks using these keys. However this would require additional steps to exploit, for example DNS spoofing of network addresses. It would not allow casual drive-by decryption of traffic since SSH uses disposable session keys for encryption.

Once we discovered this issue, we took the following steps:[ulist]
[]sent a list of SSH host keys present in the image for all distributions to our managed services team, so that they could proactively replace any keys that might not be unique.[]notified all affected customers and provided instructions on how to fix this for themselves.
[]removed all existing SSH host keys in our imager, for all distributions.
]our image management tools now remove any host keys left over after creating or updating an image.
[]new ECDSA host keys will not be generated for images that had them previously. This will be re-instated in the future.
]the imaging process makes sure all host keys are removed, before generating new ones.[/ulist]

We also committed to publishing this forum post today.

So far, we’re unaware of any servers that have been exploited as a result of this vulnerability.

However, as soon as this flaw was identified, we took proactive steps to inform customers and minimise any additional risk.

How to check if your keys are non-unique

Your machine may have three or four types of keys of which only RSA, DSA, and ECDSA keys need to be checked, if your machine has them. These will usually be in files in /etc/ssh named ssh_host_rsa_key, ssh_host_dsa_key or ssh_host_ecdsa_key. For each of these files run:

$ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key $ ssh-keygen -l -f /etc/ssh/ssh_host_dsa_key $ ssh-keygen -l -f /etc/ssh/ssh_host_ecdsa_key

Each command will give you a fingerprint which can check against the published list of known-bad fingerprints shown below. You only need regenerate keys that have fingerprints that appear in the list below.

How to generate fresh host keys

In order to regenerate the affected keys, you should run the following comands on the affected machine, as root. Remember, you only need regenerate the keys with fingerprints that appear in the list below.

[code] # rm /etc/ssh/ssh_host_ecdsa_key /etc/ssh/
# /usr/bin/ssh-keygen -t ecdsa -N ‘’ -f /etc/ssh/ssh_host_ecdsa_key

    # rm /etc/ssh/ssh_host_dsa_key /etc/ssh/
    # /usr/bin/ssh-keygen -t dsa -N '' -f /etc/ssh/ssh_host_dsa_key

    # rm /etc/ssh/ssh_host_rsa_key /etc/ssh/
    # /usr/bin/ssh-keygen -t rsa -N '' -f /etc/ssh/ssh_host_rsa_key

    # /etc/init.d/ssh restart[/code]

Please be aware that the next time you log in to your machine over SSH you may be greeted with a large warning message stating that the remote host identification has changed. This is expected since you’ll have changed the host keys.

While all affected customers have been contacted, please get in touch if you have any questions or concerns - we’re at, or drop a comment on this forum post.


The complete list of fingerprints

[code] 256 22:66:52:18:93:e6:06:b1:f6:08:46:fa:f2:4e:e8:b3 (ECDSA)
256 35:52:05:d3:ab:2b:0c:f9:0e:a0:2c:fd:59:9a:5b:35 (ECDSA)
256 73:ba:00:a3:22:d1:dd:0a:26:46:b2:5f:b3:bd:ca:e1 (ECDSA)
256 93:d8:8d:71:4a:f2:1d:96:85:4f:5f:5e:e2:53:77:59 root@precise (ECDSA)
256 98:aa:c5:2e:5a:09:63:13:29:73:7f:11:a9:c2:13:d4 (ECDSA)
256 e0:19:ea:39:7f:3e:6a:4a:4e:11:2a:96:ee:12:da:a0 (ECDSA)
256 e3:77:d8:b7:b7:49:36:72:87:3e:47:c2:36:ec:51:2c (ECDSA)
256 e7:f5:9a:f6:99:5d:67:ae:ec:4b:ee:bd:d0:73:b3:51 root@precise (ECDSA)

1024 96:f3:22:af:5c:60:ad:74:01:41:55:42:b4:6f:88:f5 root@mirror2 (DSA)
1024 b0:dd:77:cf:83:c4:d2:8a:12:75:e2:4d:f2:c4:ca:49 (DSA)
1024 b1:2b:08:17:ee:d9:a9:da:44:47:44:9b:e0:f7:d8:ad (DSA)
1024 e9:df:0d:82:55:d8:e5:1f:8b:8d:d6:71:d9:f0:f5:ce (DSA)

2048 59:c7:23:3e:29:4a:da:39:d1:c5:bc:43:e6:a9:e4:5d (RSA)
2048 6a:19:cf:6a:92:be:86:37:a8:ce:c8:06:84:9e:06:57 root@mirror2 (RSA)
2048 9a:70:ca:20:44:df:4a:9b:74:9f:e8:0a:15:d8:79:a0 (RSA)
2048 f7:4f:57:79:e5:f6:c4:c5:67:37:43:30:dd:fc:92:ee (RSA)[/code]