Openssl and openssh
Ben Lindstrom
mouring at etoh.eviladmin.org
Fri Aug 2 05:57:52 EST 2002
You really should be generating keys on your clients and pushing the
public keys to each of the remote machines you are logging into. You
should avoid having your private key out for anyone to see.
- Ben
On Thu, 1 Aug 2002 ew-ssh at kegger.national-security.net wrote:
> When keys are generated, doesn't the public key stick arround on the
> server (ssh_host_dsa_key.pub and ssh_host_rsa_key.pub)?
>
> Would that make us vulnerable, or have I misunderstood what you had said?
>
> --Eric
>
> On Thu, 1 Aug 2002, Florian Weimer wrote:
>
> > "kumar" <kumareshind at gmx.net> writes:
> >
> > > I had seen some recommendations for and against that these vulnerabilities
> > > affects OpenSSH.
> >
> > Protocol 2 RSA public key/host based authentication calls OpenSSL's
> > RSA_verify, which ueses the ASN.1 parser internally. Exploiting
> > CAN-2002-0659 still requires that the SSH2 public key has been stored
> > on the SSH server, so no anonymous attacks are possible in typical
> > contexts.
> >
> >
>
> _______________________________________________
> openssh-unix-dev at mindrot.org mailing list
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>
More information about the openssh-unix-dev
mailing list