Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - OpenSSH: Predictable PRNG in debian and ubuntu Linux InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

OpenSSH: Predictable PRNG in debian and ubuntu Linux

Published: 2008-05-13
Last Updated: 2008-05-13 21:30:19 UTC
by Swa Frantzen (Version: 4)
0 comment(s)

Debian and Ubuntu Linux users should look into their OpenSSH setup. It turns out the PRNG (Pseudo Random Number Generator) as used was predictable.

Remember patching isn't enough, you need to regenerate keys generated on these machines! Including those used in SSL certificates (X.509).

Worse: even good keys apparently can be exposed due to this. Quoting from the Debian reference below:

"Furthermore, all DSA keys ever used on affected Debian systems for signing or authentication purposes should be considered compromised; the Digital Signature Algorithm relies on a secret random value used during signature generation."

So merely using your (good) keys on an affected machine might be enough to get the key itself compromised.

Interested in what makes the PRNG be predictable I started reading the changelog and found this:

* Re-introducing seeding of the random number generator.  Patch from the

-- Florian Weimer <>  Thu, 08 May 2008 01:58:40 +0200

Guess that sums it up ...

Update: Alex dug deeper and found it might have been triggered by a tool to find use of uninitialized memory (valgrind) and bug report 363516

Update: Florian provided a link to a tool to detect these weak keys

Swa Frantzen -- Gorilla Security

Keywords: linux openssh
0 comment(s)
Diary Archives