Monthly Archive for May, 2008

More theme changes.

Published
by
Niek Bergman
on May 18, 2008
in Blog stuff
. Comments

Yup, it looks different again.

This time, I’ve done a few style changes to make the top header green, and add some stars to it. This looks way cooler than the blue before. Also, something special happens if I leave a comment on an entry here.

Furthermore, the text for the current page you are at (Blog/Contact Me/Archives etc..) will show up bold now, in addition to being in a white background. This makes it a little bit more clearer.

These changes all happened without editing the core files of K2, my blog theme, as it has a neat way to utilize custom CSS in it.

As always, feel free to leave your thoughts, they’ll be duly noted.

How to deal with the recent random number generator bug in OpenSSL and update your SSH keys.

Published
by
Niek Bergman
on May 14, 2008
in Security
. Comments

Edit: 16 may 2008: Please read this correction, if you’ve already read this article.

Edit: 19 may 2008: Doh! Also forgot to mention that you of course need to remove your vulnerable keys from any systems you uploaded them to. You can do this by removing them from your ~/.ssh/id_rsa file (see this comment for more info). Guess that teaches me about getting posts out in a hurry. Luckily, most upgraded SSH servers currently detect most compromised keys, so your compromised keys will usually be rejected.

You may have heard of the predictable random number generator bug in Debian and distributions based on Debian (like Ubuntu).

Those of you using SSH to log in to other systems are probably mostly affected by this, so here is a quick tutorial to get you back up and running:

First, make sure you upgrade your system. This is a prerequisite before fixing your SSH keys. On most Debian-based systems, your update process will be like this:

apt-get update
apt-get upgrade

You might need to add sudo before both commands if you’re not root and are on a system that allows you to sudo to root.

Presumably, your system will list that some SSL packages will need to be updated, so run the upgrade.

Your system might ask you to restart some processes, and recommend that you reboot. I’d recommend following up to this advice and just restarting your system, but if you really can’t, make sure you at least list the processes that make use of OpenSSL on your system to be restarted.

Next, depending on if you’re using Debian stable or unstable, or another distribution like Ubuntu, you might have a new application called ssh-vulnkey.

Simply running it without any arguments will try to determine if your SSH key is vulnerable, if you have any. Note that this might yield false negatives, so it’s best to replace your SSH keys anyway, but if you want to take the risk, that’s fine with me.

The output will be somewhat like this:

Unknown (no blacklist information): 2048 d0:c6:da:f5:e2:30:b0:3a:20:df:97:5a:47:2d:87:f0 /home/niek/.ssh/id_rsa.pub

Correction (16 may 2008): your output should look like this (this is important, because else the blacklist checker doesn’t have a good blacklist for your key):

Not blacklisted: 2048 d0:c6:da:f5:e2:30:b0:3a:20:df:97:5a:47:2d:87:f0 niek@lithium

You might need to install openssh-blacklist for it to show up like that, which you can do like this:

apt-get install openssh-blacklist

This presumably means that your key is not vulnerable. You still might want to generate a new one anyway (better safe than sorry, right?)

If you choose to generate a new SSH key, then first back up your old one:

mv .ssh .ssh.bak

Next, we can safely generate a new SSH key, just run:

ssh-keygen

and follow the interactive prompt.

Next, you might need to tell your servers about your new SSH key, but you just made a new one! Luckily you backed up your old key though, so you can still log in to your server like this:

ssh -i /location/to/the/backup/of/your/keyfile/here (presumably ~/.ssh.bak/id_rsa) yourserver.invalid

Next, put your new public key (which probably is in ~/.ssh/id_rsa.pub on your home system) in ~/.ssh/authorized_keys on your server, and log out. Now try to log in again with your new SSH key.

The host key(s) of your OpenSSH server might also be vulnerable, you can check this by issuing the following commands (obviously replacing yourserver.invalid with your actual SSH server):

ssh-keyscan -t rsa yourserver.invalid|ssh-vulnkey -
ssh-keyscan -t dsa yourserver.invalid|ssh-vulnkey -
ssh-keyscan yourserver.invalid|ssh-vulnkey -

Note that some of these might not work, depending on if your server has a host key with the algorithm we’re checking for.

The Gentoo wiki has a howto on how to generate host keys should you find yours vulnerable, or decide to update them anyway. Remember to restart your SSH server after updating those, and remember that you will probably get a complaint from your SSH client next time you try to login to your remote system that the host keys have changed.

Disclaimer: please note that I’m not ( currently at least ;-) ) a security or cryptography expert in any way, and some of my advice may be slightly incorrect or just wrong. This information is provided as is, without any warranty. Please contact a real security expert if you feel more secure with that, and don’t blame me if something goes wrong. Feel free to submit corrections in comments, and I’ll try to correct any blatant factual errors.

New theme, K2.

Published
by
Niek Bergman
on May 12, 2008
in Blog stuff
. Comment

So, as you can see, this blog looks a bit different from when it started. I’ve switched to K2 as the new theme for this weblog. Nice added features are AJAX-based search and commenting, and some other cool stuff.

I’ll soon customize it to have some kind of header picture probably, as that’ll look a bit neater.

If there’s any problems with the new theme, just notify me and I’ll get them sorted out.

My birthday presents.

Published
by
Niek Bergman
on May 12, 2008
in Life
. Comments

My new photo camera.Since it’s been my birthday, I’ve gotten a new digital camera. It’s a Traveler DC-XZ6. I’ve already used it to take some neat pictures which can be seen at my Picasa album. Of course I’m new with this thing, so don’t expect miracles.

I’ve also gotten a tripod, a Velbon CX-300. It’s a pretty neat tripod, which folds up to 45 centimeters and comes with a nice carrying case bag.Velbon CX-300 Tripod

The camera also comes with a fully manual control, which allows you to set shutter times. I’ve used this to take some nice pictures of cars passing by at night, which can be seen at my Car pictures with long shutter time album.

Overall, I’m pretty happy with the camera, and it also has allowed me to take some cool panorama pictures with the aid of my tripod (more about that later.)

I’ve also gotten a Garfield pocket (#49 to be exact) and the DVD “If I knew I was a genius”, and some Celebrations.

Hello world!

Published
by
Niek Bergman
on May 1, 2008
in Life
. Comments

Hey everyone who might be visiting. Welcome to this shiny new blog. After much poking from tuntis, I finally caved in and got myself one.

So, what can you expect from this new blog? I have no idea. Any good suggestions are welcome. I’ll probably also make some periodical ramblings about what’s new and cool in the open-source world, or whine when stuff won’t work as I like.

As it’s my birthday soon and I’m getting a new camera, there might also be some cool pictures up here soon.

Oh yeah, I also might set up a cool theme up soon, but that’s not a priority for now.