OpenSSH (define) is one of the most common mechanisms in use for providing secure remote access to servers. A flaw in a key part of how Debian-based Linux distributions like Ubuntu secure OpenSSH has put potentially millions of servers at risk from a brute force attack. The attack could have major implications for the Internet.

The Internet Storm Center (ISC) at SANS is raising the alarm on the issue with a yellow alert on the flaw. According to ISC handler Bojan Zdrnja, the development of automated scripts exploiting key based SSH authentication looks like a real threat to SSH servers around the world. In a blog post, Zdrnja argued that public keys generated on any Debian based machine between September 2006 and 13th of May 2008 are vulnerable.

"It is obvious that this is highly critical -- if you are running a Debian or Ubuntu system, and you are using keys for SSH authentication (ironically, that's something we've been recommending for a long time)," Zdrnja wrote. "In other words, those secure systems can be very easily brute forced."

Security researcher HD Moore, leaders of the Metasploit security effort has gone a step further, explaining in a public post how he was able to brute force 1024, 2048 and 4096-bit keys. The flaw itself exists in a Debian-specific version of the OpenSSL package, which generates the keys that are used in OpenSSH. Even though OpenSSL is widely used by other Linux distributions, it is not necessarily at risk according to Moore.

"The flaw in question was introduced by a Debian-specific patch," Moore told InternetNews.com. "This patch was not pushed upstream to the OpenSSL folks, so only distributions based on Debian have this issue."

"It's obviously a very significant issue being a remote exploit," Canonical CEO Mark Shuttleworth told InternetNews.com.

Shuttleworth added that folks who have applied the update are in a good position. Shuttleworth added that Ubuntu is very responsive on security and their primary focus is to be able to respond to any issue that may arise.

"We do have a substantial amount of pro-active security in the system," Shuttleworth explained. "Where we design the configuration of the system so services are isolated form one another. So a compromise in one service doesn't affect the rest of the system."

This article was first published on InternetNews.com. To read the full article, click here.