9

I've already updated my servers with the patches.

Do I need to regenerate any private keys with respect to OpenSSH? I know that I have to regenerate any SSL certificates.

EDIT: I didn't word this accurately enough. I know the vulnerability is in openssl, but I was asking how this impacts on openssh, and whether I need to re-generate the openssh host keys.

RichVel
  • 3,554
  • 1
  • 18
  • 23
Olly
  • 449
  • 1
  • 4
  • 11

4 Answers4

6

The vulnerability does not affect openssh it affects openssl.
Which is a library used by many services - including openssh.

At this point in time it seems clear that openssh is not affected by this vulnerability, because OpenSSH uses the SSH protocol, not the vulnerable TLS protocol. It is unlikely that your ssh private key is in memory and readable by a process that is vulnerable - not impossible but unlikely.

Of course you must still update your openssl version.
Note that if you updated openssl you also need to restart all services which are using it.
That includes software like VPN server, webserver, mail server, load balancer, ...

voretaq7
  • 79,879
  • 17
  • 130
  • 214
faker
  • 17,496
  • 2
  • 60
  • 70
  • 1
    Something to bear in mind: It's possible to use the same private key part for a SSH Private Key *and* a SSL Certificate. In this case if the SSL certificate key was used on a vulnerable web server you would need to replace the affected SSH Private Key as well. (For this to be exploited someone would need to *know* you're doing this, or think to try it - it's a VERY unusual configuration in my experience, so I doubt anyone would think of it). All that said there's nothing wrong with regenerating your SSH Private Key(s) if you want to - a little paranoia isn't a bad thing :-) – voretaq7 Apr 09 '14 at 05:41
1

So it seems that SSH is unaffected:

Generally, you're affected if you run some server where you generated an SSL key at some point. Typical end-users are not (directly) affected. SSH is not affected. The distribution of Ubuntu packages isn't affected (it relies on GPG signatures).

Source: ask ubuntu: How to patch CVE-2014-0160 in OpenSSL?

Community
  • 1
Olly
  • 449
  • 1
  • 4
  • 11
0

OpenSSH doesn't use the heartbeat extension, so OpenSSH isn't affected. Your Keys should be safe as long as no OpenSSL process which make use of heartbeat had them in their memory, but that is usually very unlikely.

So if you are/need to be a bit paranoid replace them, if not you can sleep relatively well without doing so.

gpkvt
  • 191
  • 1
  • 6
  • SSH doesn't use OpenSSL. Big Difference there. – Jacob Apr 08 '14 at 21:35
  • 2
    OpenSSH uses the libcrypto part of OpenSSL. That's why you have to restart SSH after updating OpenSSL. That's why some people are asking if they have to replace their SSH-Keys. See my answer above... So what's your point exactly? – gpkvt Apr 08 '14 at 22:44
0

In difference from what others have said here Schneier says yes.

Basically, an attacker can grab 64K of memory from a server. The attack leaves no trace, and can be done multiple times to grab a different random 64K of memory. This means that anything in memory -- SSL private keys, user keys, anything -- is vulnerable. And you have to assume that it is all compromised. All of it.

It is not that ssh (any type) was directly affected, but that ssh keys may be stored in memory and the memory can be accessed. This goes for just about anything else stored in memory that is considered secret.

Jeremy French
  • 675
  • 3
  • 12
  • 25
  • He seems to give a very general overview of the problem with this sentence. It's the first time I hear that *all* all your memory was exposed. So far my understanding is that only memory to which the vulnerable process has access is exposed. See also: http://security.stackexchange.com/questions/55076/what-should-a-website-operator-do-about-the-heartbleed-openssl-exploit/55089#comment87050_55076 – faker Apr 10 '14 at 06:29