OpenSSH 2.9p2 / SSH3 vulnerability?
mouring at etoh.eviladmin.org
mouring at etoh.eviladmin.org
Wed Aug 22 01:32:55 EST 2001
On Tue, 21 Aug 2001, Ault, James R (CRD) wrote:
>
> I have a few questions:
>
> 1) Is OpenSSH 2.9p2 (or any other version of OpenSSH) vulnerable to the same problem as SSH3.0.0?
> (described here:
> http://www.kb.cert.org/vuls/id/737451 )
>
I looked around and tried it out.. and I could not find anything that
resembled that security hole in OpenSSH. I'm sure Markus and other did
a more indepth check.
> 2) There is a "SECURID" patch in the contrib section since 2.5.2p2. I am using it, but applying this
> patch to each new version is growing more difficult as time goes on. Would you consider merging this
> function into the core of openssh? (with a configure flag and everything)? I would certainly
> appreciate it...
>
There is? I don't see it in the -current version of the portable.
I don't believe there is any plans on adding Secure ID. I no longer
remember the reasons.. <shrug>
But doing a simple grep for "SecureID" in my archives I see comments like
"Integrating SecureID is additional complexity which has to be
maintained,"
.. So I think it's a safe bet it will not. =)
Version 3.0 will ship with Crytocard support (currently not tested well
outside of OpenBSD platform).
> 3) when is the next version of OpenSSH due to come out? It seems that a new one arrives only moments
> after I finish my "make install" on 4-5 different platforms.. :-)
>
Can't say for sure.=) When ever I do I get corrected by Theo and Markus,
but a release is 'Coming'... I know Markus would like a release before
Sept.
Unless Damien has any quarms I was going to call for people to
start testing in the next day or so (if I can catch my breath from other
projects).
- Ben
More information about the openssh-unix-dev
mailing list