[DC-Users] Security Problems and Miscellenous Other Changes

DuckCorp Admin Team dc-admins at lists.duckcorp.org
Thu May 15 16:46:37 CEST 2008


As Usual, we are so busy, we didn't really have time to give much  
news. Follows a few
unsorted news, to quickly feel the gap.

=== Security Problem ===

Due to a "BIG security issue"[1] in Debian, our software was quickly  
upgraded to fix the
issue, but this is not sufficient, and keys/certificates are weak and  
must be regenerated.

For the SSH host keys, they are being regenerated today, and new  
fingerprints will be
advertised in DNS via SSHFP entries (there is no validation of such  
entries yet, but
better than nothing). That is to say: you SHOULD verify you get the  
following message
when you try to log back to our machines after removing the old keys in
'~/.ssh/known_hosts' :
   Matching host key fingerprint found in DNS.
Complete session initialization would be like the following :
   # ssh root at toushirou.duckcorp.org
   The authenticity of host 'toushirou.duckcorp.org  
(2001:7a8:800:6666::1)' can't be
   RSA key fingerprint is 77:40:c9:c1:f3:cc:17:22:67:50:8d:3d:1f:39:bd:46.
   Matching host key fingerprint found in DNS.
   Are you sure you want to continue connecting (yes/no)?

For the user's SSH keys, you should take care of them yourself, and  
verify your ones are
not weak with the Debian provided tool. Soon they will be blacklisted  
and won't work
anymore (and you know you cannot log into DC's machine with  
passwords). If you could not
fix your keys and '~/.ssh/authorized_keys' in time, just contact us to  
manually insert a
new key.

For the services' certificates, they are being regenerated soon too,  
and as our CA
(certificate authority) is not compromized, it should be invisible to you.

=== HQ Unavailability ===

A few weeks ago, you might have expirienced unavailabilit of the HQ  
ans the few public
services services hosted in there. The ADSL problem seems to be  
closed, and we are trying
to improve service redondancies for the future.

=== Jabber Issues ===

As said above, we are trying to improve HQ hosted services  
availability, and Jabber is
one of the most important ones. We added another jabber server to make  
a cluster, which
is totaly invisible to the users. Unfortunately, it was more difficult  
than expected, and
the downtime was followed by a long time with screwed up rosters. We  
managed to reinject
rosters, but with a not so fresh backup. Most of our contacts were  
retrieved, thought,
and it should be working fine now.

=== Backup Downtime ===

We just managed to restart our backup server which was down because of  
hardware problems
during about 3 weeks. Seems fresher stuff is needed here.

=== Homes Synchronization ===

Arnau worked well coding a nice script which daily synchronize hidden  
in you home (those begining with a dot, mostly configuration files)  
accross our machines.
People allowed to log into several machines won't have to manually copy their
configuration files and keys and stuff.

Have FUN... :-/

[1] http://www.us.debian.org/security/2008/dsa-1571

Marc Dequènes (Duck)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: PGP Digital Signature
URL: <https://lists.duckcorp.org/mailman/private/dc-users/attachments/20080515/ca8adfd0/attachment.pgp>

More information about the DC-Users mailing list