Does Heartbleed affect ssh keys?

ssh openssl heartbleed

No, Heartbleed doesn't really affect SSH keys, so you probably don't need to replace the SSH keys you've been using.

First, SSL and SSH are two different security protocols for two different uses. Likewise, OpenSSL and OpenSSH are also two completely different software packages, despite the similarities in their names.

Second, the Heartbleed exploit causes the vulnerable OpenSSL TLS/DTLS peer to return a random 64kB of memory, but it's almost certainly limited to memory accessible to that OpenSSL-using process. If that OpenSSL-using process doesn't have access to your SSH private key, then it can't leak it via Heartbleed.

Also, you typically only put your SSH public key on servers you use SSH to connect to, and as the name implies, a public key is a key you can publicize. It doesn't matter who knows it. In fact, you want the public to know your correct public key.

Thanks to @Bob for pointing out that the vulnerability can affect client apps that use vulnerable versions of OpenSSL as their client-side TLS/DTLS library. So if, for example, your web browser or your SSL-based VPN client used a vulnerable version of OpenSSL, and connected to a malicious server, that malicious server could use Heartbleed to see random snippets of that client software's memory. If that client app for some reason had a copy of your SSH private keys in memory, then it could leak via Heartbleed.

Off the top of my head, I'm not thinking of any software besides SSH that could have a copy of your unencrypted SSH private key in memory. Well, that assumes you keep your SSH private keys encrypted on disk. If you don't keep your SSH private keys encrypted on disk, then I suppose you could have used some OpenSSL TLS-using file transfer or backup program to copy or back up your home directory over the network (including your ~/.ssh/id_rsa or other SSH private key), then it could have an unencrypted copy of your SSH private key in memory. Then again, if you were backing up your unencrypted SSH private key to a malicious server, you've probably got bigger worries than Heartbleed. :-)


"Second, the Heartbleed exploit causes the vulnerable OpenSSL TLS/DTLS peer to return a random 64kB of memory, but it's almost certainly limited to memory accessible to that OpenSSL-using process. "

if the machine gets compromised then how can you trust anything on it, including ssh? from heartbleed.com

" What leaks in practice?

We have tested some of our own services from attacker's perspective. We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication. "

someone might have put a private key, with no passphrase, on a server they assumed wasnt malicious... but turned out to be. b/c SSL bug allowed a user's password out, a user who had 'sudo'... its probably not an issue.... but...

people do crazy stuff sometimes

http://blog.visionsource.org/2010/08/28/mining-passwords-from-public-github-repositories/

Related

In vim, how do I make the left and right arrow keys change line?
What happens when an SSD wears out?
How do SSL chains work?
How to fill fill-in forms inside Microsoft Word documents
How can I toggle Full Screen mode in Remote Desktop without a Break key?
How can I specify the repository from which a package will be installed? (emacs-snapshot)
How to remove addresses from Thunderbird's autocomplete drop-down?
How to scroll in grub2 shell?
VMWare Player is not working after installing Hyper-V on windows 8 Pro
how do I see which user I am logged in as in MySQL?
How do I force single (only) channel audio in youtube/flash videos to play in both (left/right) channels?
How can I make wget rename downloaded files to not include the query string?