[plug] OpenSSH and security holes
Christian
christian at global.net.au
Fri Dec 10 09:22:47 WST 1999
On Thu, 9 Dec 1999, Leon Brooks wrote:
> > Well, both (sort of). :-) I don't really remember the details but there
> > was a minor problem some people had with OpenSSH (non-security related,
> > just annoying) and there was another problem with the US version linked
> > against RSAREF which has had a couple of security problems lately. Of
> > course, this problem is with RSAREF and applies to normal ssh if it uses
> > RSAREF (run 'ssh -V' to check).
>
> SSH Version OpenSSH-1.2, protocol version 1.5.
> Compiled with SSL.
>
> So I guess it's fine. (-:
Well, I wouldn't assume that. I haven't used OpenSSH yet so I don't know
whether it behaves the same way to normal SSH. I also don't know what the
Linux porting team has done with regards to the duality of OpenBSD's SSL
libraries. If they've used the US version which uses RSAREF then your
OpenSSH will be vulnerable. I gave the "-V" switch as a way for people
with standard SSH to check if they were vulnerable. For example:
hobbes:~$ ssh -V
SSH Version 1.2.26 [i586-unknown-linux], protocol version 1.5.
Standard version. Does not use RSAREF.
(on a Debian system).
As for the other bug, I believe that involves connecting to an OpenSSH
server with a SecureCRT client and it has been fixed in a recent OpenBSD
patch. I don't know whether this patch has been integrated into Linux
OpenSSH yet...
Regards,
Christian.
============================================================================
"Those who do not understand Unix are condemned to reinvent it, poorly."
-- Henry Spencer
More information about the plug
mailing list