Openssl and openssh

Florian Weimer Weimer at CERT.Uni-Stuttgart.DE
Fri Aug 2 01:08:24 EST 2002

"kumar" <kumareshind at> writes:

> I had seen some recommendations for and against that these vulnerabilities
> affects OpenSSH.

Protocol 2 RSA public key/host based authentication calls OpenSSL's
RSA_verify, which ueses the ASN.1 parser internally.  Exploiting
CAN-2002-0659 still requires that the SSH2 public key has been stored
on the SSH server, so no anonymous attacks are possible in typical

Florian Weimer 	                  Weimer at CERT.Uni-Stuttgart.DE
University of Stuttgart           http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT                          fax +49-711-685-5898

More information about the openssh-unix-dev mailing list