...
Summary:Refracta Snapshot versions 9.0.9-2 and earlier copy the ssh host keys along with the rest of the system. This could facilitate a Man-in-the-Middle attack if you're logging in from a remote location.
If you have your ssh server open to the internet, and you are installing or have installed Refracta version 7.0 or 7.1, you need to change your ssh host keys. This is easy to do and is explained below.
Fixed in:The issue has been fixed in Refracta_7.1.1 and Refracta Snapshot 9.0.9-4.
Who is at risk?This affects i386 and amd64 versions of:
- Refracta-7.0 through 7.1_20130901 (replaced by 7.1.1_20130908)
- Refracta Snapshot through 9.0.9-2 (replaced by 9.0.9-4.)
If you install from any of the older isos, you should replace your ssh host keys, whether you're at risk or not. An alternative is to uninstall openssh-server or turn it off.
The ssh server is running by default in Refracta. If you're not behind a firewall/router, or if your router is set up to forward ssh traffic to your computer, and you're planning to actually log into your computer from outside your local network, you should generate new keys. (Note: if you're running like this with the live-CD or you didn't change the root and user passwords when you installed, you have more serious risks, since the passwords are publicized.)
If you disabled password logins and set up public/private key authentication for your user, this is not an issue, but you should still make new host keys.
How to generate new host keysLog into a terminal as root, change directory, delete the old keys and create new ones, all with the following commands.
- Code:
su
(give root password)
cd /etc/ssh
rm ssh_host_*key*
ssh-keygen -A
Four key-pairs will be generated. You can get rid of the RSA1 keys; they aren't used.
- Code:
rm ssh_host_key ssh_host_key.pub
After changing the keys, anyone who has logged into your machine on ssh in the past will get the scary warning about the host not matching what's in the known hosts file the next time they log in. They'll need to delete or edit ~/.ssh/known_hosts.
Alternative solution:If you don't need to use the ssh server, you can just uninstall openssh-server (apt-get purge openssh-server) or turn it off (Main Menu -> System -> Services, or run services-admin from a terminal, or kill ssh and disable it with sysv-rc-conf.)
Do I need to download a new iso file?You can use the zsync file to bring your iso up to date without downloading the whole thing. (apt-get install zsync if you need to.) Run one of the following commands for i386 or amd64 as unprivileged user from the directory that contains the old iso file, replacing <old-version> with the actual version number of the iso file you have.
i386:
- Code:
zsync -i refracta-7.-<old-version>.iso http://downloads.sourceforge.net/project/refracta/isohybrid/refracta_7.1.1_i386-20130908_1131.iso.zsync
amd64:
- Code:
zsync -i refracta-7.-<old-version>.iso http://downloads.sourceforge.net/project/refracta/isohybrid/refracta_7.1.1_amd64-20130908_0334.iso.zsync
Updated deb packagesrefractasnapshot-base_9.0.9-4_all.debrefractasnapshot-gui_9.0.9-4_all.debIf you use refractasnapshot or a modified version of it on another distro:Add the following to the excludes list:
- Code:
- /etc/ssh/ssh_host_*_key*
- /etc/ssh/ssh_host_key*
Add the following to the append line in the isolinux (or syslinux) boot menu if you want openssh-server to work. Unique ssh host keys will be generated at boot.
- Code:
config=openssh-server
...