Openssl and openssh
ew-ssh at kegger.national-security.net
ew-ssh at kegger.national-security.net
Thu Aug 1 23:01:23 EST 2002
When keys are generated, doesn't the public key stick arround on the
server (ssh_host_dsa_key.pub and ssh_host_rsa_key.pub)?
Would that make us vulnerable, or have I misunderstood what you had said?
--Eric
On Thu, 1 Aug 2002, Florian Weimer wrote:
> "kumar" <kumareshind at gmx.net> writes:
>
> > I had seen some recommendations for and against that these vulnerabilities
> > affects OpenSSH.
>
> Protocol 2 RSA public key/host based authentication calls OpenSSL's
> RSA_verify, which ueses the ASN.1 parser internally. Exploiting
> CAN-2002-0659 still requires that the SSH2 public key has been stored
> on the SSH server, so no anonymous attacks are possible in typical
> contexts.
>
>
More information about the openssh-unix-dev
mailing list