Discussion:
[Plug-webdev] SSH/SSL updates?
der.hans
2008-05-14 08:06:18 UTC
Permalink
moin moin,

the web server is running Ubuntu?

I presume that means we need to update it and update the SSH keys and the
SSL cert.

Maybe we should publish the server public SSH key on a page on the site as
well.

ciao,

der.hans
--
# https://www.LuftHans.com/ https://LOPSA.org/
# "This country has nothing to fear from the crooked man who fails. We put
# him in jail. It is the crooked man who succeeds who is a threat to this
# country." -- Theodore Roosevelt, Memphis, TN, 25Oct1905
a***@crackpot.org
2008-05-14 19:15:54 UTC
Permalink
Post by der.hans
moin moin,
the web server is running Ubuntu?
I presume that means we need to update it and update the SSH keys and the
SSL cert.
I can regenerate the ssl cert. Stuff I've read says that sshd need to
be shut down when installing new host keys, so someone with physical
access to the box will need to do that. On my own box, I stopped
sshd, moved the keys out of /etc/ssh, and ran 'dpkg-reconfigure
openssh-server'. That regenerated the keys and restarted sshd.

alex
der.hans
2008-05-15 07:57:56 UTC
Permalink
Post by a***@crackpot.org
Post by der.hans
moin moin,
the web server is running Ubuntu?
I presume that means we need to update it and update the SSH keys and the
SSL cert.
I can regenerate the ssl cert. Stuff I've read says that sshd need to
be shut down when installing new host keys, so someone with physical
access to the box will need to do that. On my own box, I stopped
sshd, moved the keys out of /etc/ssh, and ran 'dpkg-reconfigure
openssh-server'. That regenerated the keys and restarted sshd.
The new package autogenerates new keys. The new package also restarts
sshd, but that shouldn't affect open connections. I believe the new
package triggers a request for a reboot in order to make sure all active
client connections get killed.

ssh-keygen -R $hostname

That can be used to remove the bad keys from your known_hosts files.

ssh-keygen -l -f ~/.ssh/known_hosts

That will list the fingerprints for each of the keys in your known_hosts
file. Those of us using lots of tunnels will need that one.

I will try to work with Brian tomorrow to get the openssh updates done
while he's physically there just in case there's a problem.

ciao,

der.hans
--
# https://www.LuftHans.com/ https://LOPSA.org/
# Don't step in front of speeding cars, don't eat explosives
# and don't use m$ LookOut :). - der.hans
Eric Shubert
2008-05-15 15:25:28 UTC
Permalink
Post by der.hans
Post by a***@crackpot.org
Post by der.hans
moin moin,
the web server is running Ubuntu?
I presume that means we need to update it and update the SSH keys and the
SSL cert.
I can regenerate the ssl cert. Stuff I've read says that sshd need to
be shut down when installing new host keys, so someone with physical
access to the box will need to do that. On my own box, I stopped
sshd, moved the keys out of /etc/ssh, and ran 'dpkg-reconfigure
openssh-server'. That regenerated the keys and restarted sshd.
The new package autogenerates new keys. The new package also restarts
sshd, but that shouldn't affect open connections. I believe the new
package triggers a request for a reboot in order to make sure all active
client connections get killed.
ssh-keygen -R $hostname
That can be used to remove the bad keys from your known_hosts files.
ssh-keygen -l -f ~/.ssh/known_hosts
That will list the fingerprints for each of the keys in your known_hosts
file. Those of us using lots of tunnels will need that one.
I will try to work with Brian tomorrow to get the openssh updates done
while he's physically there just in case there's a problem.
ciao,
der.hans
Should be able to simply:
apt-get dist-upgrade
--
-Eric 'shubes'
Loading...