With the Debian OpenSSL problems, everybody is wanting to know if their server is vulnerable to any attacks. Fortunately, CentOS machines shouldn’t be directly affected and have fewer issues than if you are using Debian or Ubuntu derivatives. Unfortunately though, your system may still be vulnerable if you have any users that may have generated their keys on an affected machine. So it is definitely necessary to check, even if you are not running a distribution that is affected.
This is the steps I have been going through to look for any weak keys on a CentOS server
Download the weak key detector provided by Debian (there may be better tools to use by now). It is available on the announcement page. (I’m not linking to it intentionally).
[root@host ~]# cd /tmp [root@host tmp]# wget http://security.debian.org/project/extra/dowkd/dowkd.pl.gz --20:44:31-- http://security.debian.org/project/extra/dowkd/dowkd.pl.gz Resolving security.debian.org... 128.31.0.36, 130.89.175.54, 212.211.132.32, ... Connecting to security.debian.org|128.31.0.36|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 14231783 (14M) [application/x-gzip] Saving to: `dowkd.pl.gz' 100%[================================>] 14,231,783 6.42M/s in 2.1s 20:44:33 (6.42 MB/s) - `dowkd.pl.gz' saved [14231783/14231783] [root@host tmp]# gunzip dowkd.pl.gz
Then check a couple known files – Start out with your SSH host keys in /etc/ssh/
[root@host tmp]# perl dowkd.pl file /etc/ssh/*key* /etc/ssh/ssh_host_dsa_key:1: warning: unparsable line /etc/ssh/ssh_host_key:1: warning: unparsable line summary: keys found: 4, weak keys: 0
Then check any certificates in /etc/pki/tls:
[root@host tmp]# for file in `find /etc/pki/tls/ -name "*key"`; do echo -n "$file - "; perl /tmp/dowkd.pl file $file; done /etc/pki/tls/certs/mydomain.ca.key - summary: keys found: 1, weak keys: 0 /etc/pki/tls/certs/secure.mydomain.ca.key - summary: keys found: 1, weak keys: 0 /etc/pki/tls/private/localhost.key - summary: keys found: 1, weak keys: 0
Any for any SSL certificates that Apache might be using in /etc/httpd/conf/ssl.key/:
[root@host tmp]# perl dowkd.pl file /etc/httpd/conf/ssl.key/* summary: keys found: 4, weak keys: 0
And finally, any users who might have authorized a weak key via their authorized_users file:
[root@host tmp]# for file in `find / -name authorized_keys`; do echo -n "$file "; perl dowkd.pl file $file; done /home/someuser/.ssh/authorized_keys summary: keys found: 6, weak keys: 0 summary: keys found: 7, weak keys: 0
Note that any that say ‘warning: no blacklist found’ means that the tool didn’t have a blacklist for the key type, so they might need to be checked with another tool unless you are sure that they are okay.
You should also check any other locations for keys. The locations could vary widely on different machines, depending on the configuration of your server. Those locations specified above should cover most of the default locations on a CentOS 4 or CentOS 5 server, but every server is different. If you don’t find it now, its quite likely that an attacker will later.
One thought on “Identifying Weak SSL or SSH Keys on CentOS”