Hi ISR users,

Unfortunately I need to inform you of some changes to to the ISR server 
setup which will require you to make local changes to continue using ISR. 
These steps are necessary to fix a serious security problem introduced 
into OpenSSL by Debian (and related Linux vendors, such as Ubuntu).  If 
you also use these systems and have not yet heard about this problem, 
please see the links in the references section below.

Essentially, the keys generated by openssl (including ssh keys, which ISR 
uses heavily) are weak due to a bug in the random number generator, and 
those keys must be repleaced.  This applies to both the system's host 
keys, and each user's RSA key (used for ISR user authentication).

Here is what you need to know to continue using ISR:

*** User keys on isrserver05 changed. *** 
=========================================

Each ISR user has a personal RSA key used for authentication.  These keys 
were week and have been regenerated (using the fixed OpenSSL library).

Any currently authenticated ISR sessions will no longer be valid, and any 
attempts to perform operations with this session will fail.  So you will 
need to re-run "isr auth".  But, in order for this to work, you will need 
to take the actions described in the next section.

*** The host key on isrserver05.isr.cmu.edu has changed. *** 
============================================================

When you attempt to initiate an ssh connection (via "isr auth"), you will 
get an eye-catching warning like this:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!        @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
62:16:78:12:b6:93:17:bb:82:67:1a:ec:88:f1:92:44.

The remote host key really has changed, though, and that is the correct 
new fingerprint (62:16:78:12:b6:93:17:bb:82:67:1a:ec:88:f1:92:44).  You 
will need to remove the old host key, with these commands on your local 
ISR host:

ssh-keygen -R isrserver05.isr.cmu.edu
ssh-keygen -R 128.2.12.134

Then, the next time you run "isr auth", you will be told:

The authenticity of host 'isrserver05.isr.cmu.edu (128.2.12.134)' can't be 
established.
RSA key fingerprint is 62:16:78:12:b6:93:17:bb:82:67:1a:ec:88:f1:92:44.

Say Yes to that fingerprint (and only that fingerprint).  Now your local 
copy of the host key will be up to date.



As usual, if you require any help with these steps or have other 
questions, feel free to contact me.  We are sorry for the inconvenience, 
but the security of our server, and your data, depend on these immediate 
changes.

Matt



REFERENCES:

http://www.debian.org/security/2008/dsa-1571
http://www.debian.org/security/2008/dsa-1576
http://wiki.debian.org/SSLkeys