SSH being upgraded everywhere
Posted (June 4th, 2008 at 12:12 pm PST) by jeremyTo better protect everybody from the recent openssl holes that Debian introduced, we’re upgrading our SSH packages to a newer version that allows us to blacklist public keys that were generated using the broken systems. This new blacklisting only affects people using public key authentication (ie if you use a password to log in, this won’t affect you). If you _do_ use public key authentication and suddenly are unable to log in without a password, it’s probably because you generated your ssh key on a broken Debian or Ubuntu box and will need to generate a new ssh key.
21 Responses to “SSH being upgraded everywhere”
Yeah, lets wait till after HD Moore has gotten into the game to upgrade. Smart!
mister gustavo and bubba, you don’t get it at all.
DH wasn’t affected by the vulnerability because they used older packages.
But the new ssh packages are good because they automatically refuse to use weak keys.
If U want to complain, the right way is: dear DH what about telling people a couple days in advance about this? people who use a weak key but have the password not readily available will get locked out their shell accounts.
Just to follow up on “deb rulez”, if DH had been affected, after this upgrade you’d get an error logging in via SSH even with password authentication, as bad keys were automatically regenerated, and the SSH client freaks out when that happens to a known host.
I administer five Debian/Ubuntu boxes everyday via SSH, and got to witness the effects first hand as I upgraded them.
Yes I do get it; I do this stuff for a living. They should have gone through everyones home directory (easy with dowkd.pl) and notified users who have weak keys in their authorized_keys files and had them change their source keys the day this was announced. That’s not so hard (we did it on our systems at work and disabled the folks who didn’t comply). Not notifying users means dealing with compromised accounts, which lead to compromised computers. Not something DH wants or needs after all the other issues they’ve had.
This flies in the face of “we don’t need to upgrade our SSL” posted earlier:
http://www.dreamhoststatus.com/2008/05/20/recent-ssl-vulnerabilities/
Don’t get me wrong, I think it’s a very good idea to keep security updates current.
@bubba: I agree that DreamHost needs to do A LOT better at informing people when they’re about to knowingly break features. If they’d just post a warning about this a day (or week) before rolling it out, then we could actually take proactive steps to prevent sudden, unexpected connection problems.
Nyhm, this does not fly in the face of that post. Your summary of “we don’t need to upgrade our SSL” doesn’t even accurately describe that post, they were just saying that they hadn’t upgraded to a vulnerable version. Furthermore, that post was about keys that DH generated, this post is about blacklisting bad customer-generated keys from accidental usage.
Ever since this upgrade, I’ve been getting kicked off of DH servers after 1-5 minutes.
It is maddening.
Anyone have any thoughts?
I’m having the exact same problem eric. I’ve submitted a support ticket, but who knows when that will be answered.
same here too, both ssh and sftp. I’m hosted on the blingy cluster on the snake server.
Yup, I’m having the same SSH problem too. Just sent a support ticket in.
i have the same problem too.
what can i do now?
same here (blingy), ssh connection dies after 30 seconds or even less
Yes, constantly dropped. How do I fix it?
rich
Was being constantly dropped as well, but now sshd appears to be down completely.
I have the same problem. I sent a support ticket, and 6 hours later (right now) they answered, but the problem is still there. They are apparently aware of the problem, and are working to fix it.
Everything appears to be sorted now, although the person that answered my support ticket didn’t really provide an explanation as to what bits needed to be fixed and why it wasn’t done in the initial upgrade.
Yep, same problem here for almost 24 hours already. I am on smoothie.
I received an answer that they’ve reset ssh server or something along these lines, but the problem still perceives, so I’ve submitted another ticket. Too bad this is not on their status update.
Same deal as everyone else… lots and lots of dropped ssh connections (seems to happen to multiple users simultaneously) and, of course, no official recognition of the problem on the DreamHost Status page.
ssh_exchange_identification: Connection closed by remote host
Please help…
So I’m running into a problem in that some of my machines are running RHEL and are using the older version of ssh. I don’t know when they will publish an update so in the mean time is there a way to generate the necessary keys on one machine but implement them on another?
Mike
Leave a Reply
Comments posted here may not be viewed by DreamHost staff at all. Please note that this is not a way to contact DreamHost.
That was one millennium ago and it’s now when you’re upgrading !?