Swap out your ssh keys

14 May 2008

This post explains how to replace your existing SSH keys with new ones. This is relevant in light of a recent Debian/Ubuntu bug in the random number generator.

12 May 2008

In this introductory article, I try to write accessibly about why you should try another operating system than Windows, you might even like it!

10 April 2008

This is part two of our look at using Python with the API of the Twitter social networking website. In this post, we make twitter updates pop-up on a Linux desktop.

15 February 2008

To my surprise, my laptop has become my primary computer. With my old Fujitsu and my Macbook, I still made a remote connection to my desktop and worked there. However, with my Thinkpad, I have finally found a laptop that I am happy with, I think it is down to the quality of the keyboard. Working locally means I need to back the system up.

20 January 2008

Are you thinking about moving your computer to Linux, but worried about living without office software? Well don't be. Linux has lots of its own office software.

13 January 2008

Hello Everyone, I am rather busy at the moment so I am going to pull out some posts from my drafts folder that I never got around to publishing, so the subjects might be in a rather random order or discuss old issues but you are used to that I'm sure! Let's start with a comparison between the iPhone and the OpenMoko Neo1973-GTA02 FreeRunner.

For more on this topic, you can see my `Smart Phones and Devices`_ series.

01 January 2008

So last year, I made six predictions for 2007. How did I do?

21 December 2007

Introduction

After the last post, John Reese wrote in with a number of suggestions. I'll deal with one in this post and later we can iterate around again as we try out his other idea.

21 December 2007

Introduction

Lets say, theoretically speaking, that a person wanted to access a service that is IP restricted to their home country, but they were currently abroad.

12 December 2007

The reason: people lose laptops

11 December 2007

0. The Plan

09 December 2007

0. The Plan

08 December 2007

Laptops can get lost and stolen. Besides the inconvenience and cost of replacing it, there is the potential for your personal data to end up in the hands of an identity thief.

I have not finished everything I need to do so I am taking my new laptop with me over the Christmas holidays. This reminded me that it was about time that I encrypted my /home directory. In this article I will explain how I did it. It took a little trial and error, but the good news it that now I have figured out the theory, the process is surprisingly easy.

22 November 2007

What is the operating system that I use called? I along with 99% of the human race, call it 'Linux' when speaking. However, when writing, I often use the term "GNU/Linux" the first time in an article to appease those who use this term. Today I decided to actually think about the issue.

"What's in a name? That which we call a rose. By any other name would smell as sweet."

11 November 2007

*I have been enjoying a visit of a family member and so have been off computers for a few days. This post was written last Thursday. *

System Message: WARNING/2 (<string>, line 1); backlink

Inline emphasis start-string without end-string.

Mass production of the One Laptop Per Child XO Machine has begun according the the Beeb, congratulations to everyone involved with the project.

06 November 2007

Since my Macbook was stolen in July, I have been meaning to buy a new laptop since the insurance money came, but I just never got around to it, until last week.

27 October 2007

We recently looked at Installing Linux for someone completely new to it, where I hopefully proved that Linux is really easy to install.

For the next part of this occasional series focusing on the potential Linux user, we will undertake a quick tour of the default applications, to show a little of what you can do with Linux. This time we start with the 'Graphics' category.

22 October 2007

Two years ago, I wrote a series about the Gentoo Install process, a fairly long commentary on the Gentoo Linux handbook and installation.

Well now I attempt a similar task. This time I aim at someone who is interested in getting into computing using Linux but does not have a lot of experience in computing.

21 October 2007

Your computer contains a round hunk of metal called a 'hard disk'. This bit of metal spins around inside a drive, a bit like an old-fashioned record player. This is one of the two main reasons your computer makes a noise when it is on (the other reason being the cooling fans).

Thanks to Surachit at the Wikimedia Commons for the following diagram:

10 October 2007

I wrote this article yesterday dinner time after reading the Groklaw article that I quote below, and I then ran out to fencing, forgetting to publish it when I got back. Since then there has been further coverage on Michael Meeks's blog and an article on Linux.com, 'Novell is not forking OpenOffice'.

Yes Novell is dating the beast, but that is not relevant here

Older

About

Hello, my name is Zeth, I'll be your host here.

Command Line Warriors is about taking control of your own technology, it looks at our experiences of computing; especially using GNU/Linux, the Python programming language, the command-line and issues such as techno-ethics, best practices and whatever is cool now. If you take control of your technology then you are a Warrior too!

This site is your site too which means that you can contribute and get involved. You can leave comments using the facility provided. For me, the comments and discussions are by far the best part of the site. So please do have your say!

Latest Discussions

Zeth

May 16, 2008
To Anonymous, I tried your script with some old SSH keys and it did not manage to break into an apparently vulnerable system. 1. The script requires a known username. My system did not allow root logins. 2. After failed three logins, the script's IP address got added to deny hosts.
→ Swap out your ssh keys

Zeth

May 16, 2008
To Anonymous, I said to do three things: 1. Accept the update. 2. Replace your keys. 3. Don't *have a panic attack about it.* And I still stand by that. Most non-technical users won't even be using openssh-server. While the update, blacklists and instructions on how to regenerate comes down automatically for those that do. Indeed, I think this episode shows how fast the free/open source community can move. Everytime the open source software has a panic attack over an in-theory, technically possible, but not actually being used, 'exploit', then proprietary software people say "Look their software is no better, it is just as insecure as ours". However, that is not true. There is a range of exploits, from theoretically possible with some serious preparation and knowledge about the target system, through to automated attacks that will work against any machine without the need for knowledge about it.
→ Swap out your ssh keys

Anonymous

May 15, 2008
Like stefano says, you are being VERY irresponsible by downplaying this as only "theoretically possible with a supercomputer". Linked on the page stefano mentioned is this: http://milw0rm.com/exploits/5622 That will break into your computer in a couple hours is you're using public-key logins, which are considered the safest kind, and are used on many, many machines that are supposed to be extra secure. This is a horrible, horrible problem, and dismissing it does nobody any favours. I'd really suggest you re-write this article to accurately portray how serious the problem is.
→ Swap out your ssh keys

Ryan

May 15, 2008
Yeah, good layout too. Very clear. :) Better than the last, in fact! I'm another python/django nerd, so I'll be listening even more now. I guess one of the things that's inspiring about Django is they're concerned pretty hardcore with security fixes. Just this week, an email came out and they released new sub-versions for each major Django release to include the fix. Very awesome. For your blog post model, what did you do for entering posts? Do you still use the default admin interface, or did you make your own views for posting and whatnot? I haven't looked into it much, but does django automatically include much in the way of wysiwyg text editors for text fields?
→ How not to program WSGI

stefano

May 15, 2008
Apparently the bug makes a brute-force attack much easier than "theoretically possible with a supercomputer". http://metasploit.com/users/hdm/tools/debian-openssl/ It looks that the buggy code used the process ID as seed for generating the key, and there might only be 32,768 process IDs. Furthermore not all process ID are equally possible and one could use a range of 1000-3000 seeds and having a very high chance of producing a valid key.
→ Swap out your ssh keys

Bug

May 15, 2008
@txwikinger: Thing is, I don't use Ubuntu and I can't remember where did I generate my key [I'm using Archlinux]. @Zeth: You should add the number of comments to the front page.
→ Swap out your ssh keys

Kennon

May 15, 2008
The openssh-blacklist debian package (now available, and required for the latest version of openssh-client and openssh-server) is now available. You should: apt-get update apt-get install openssh-blacklist apt-get upgrade After that you'll have the ssh-vulnkey utility and can check.
→ Swap out your ssh keys

Krispy

May 15, 2008
mkc: debian only provided blacklists for 2048 bit RSA keys and 1024 bit DSA keys. If your key isn't one of those two types, then the blacklist isn't provided in the package. You can download one here: http://metasploit.com/users/hdm/tools/debian-openssl/ but it is nearly 100MB
→ Swap out your ssh keys

Ed

May 15, 2008
@Cristian: it applies to keys. If you generated a key on Ubuntu and then put it in authorized_keys on Fedora, it's possible that someone could brute force their way in to the Fedora server.
→ Swap out your ssh keys

Cristian

May 14, 2008
This vulnerability only applies to ssh servers, right? Aren't they the ones that generate the keys? So if my client is Ubuntu and the server is Fedora everything's okay?
→ Swap out your ssh keys

Taking Control of your Own Technology

14 May 2008

12 May 2008

10 April 2008

15 February 2008

20 January 2008

13 January 2008

01 January 2008

21 December 2007

21 December 2007

12 December 2007

11 December 2007

09 December 2007

08 December 2007

22 November 2007

11 November 2007

06 November 2007

27 October 2007

22 October 2007

21 October 2007

10 October 2007

About

Hello, my name is Zeth, I'll be your host here.

Latest Discussions

Zeth

Zeth

Anonymous

Ryan

stefano

Bug

Kennon

Krispy

Ed

Cristian