Openssl and openssh
ew-ssh at kegger.national-security.net
ew-ssh at kegger.national-security.net
Thu Aug 1 23:14:33 EST 2002
> You should avoid having your private key out for anyone to see.
I realize that, my question is pointed towards "Exploiting CAN-2002-0659
still requires that the SSH2 public key has been stored on the SSH server,
so no anonymous attacks are possible in typical contexts."
What does Weimer mean by "server"? Usually public keys are sitting right
next to the private ones.
--Eric
>
> - Ben
>
>
> On Thu, 1 Aug 2002 ew-ssh at kegger.national-security.net wrote:
>
> > When keys are generated, doesn't the public key stick arround on the
> > server (ssh_host_dsa_key.pub and ssh_host_rsa_key.pub)?
> >
> > Would that make us vulnerable, or have I misunderstood what you had said?
> >
> > --Eric
> >
> > On Thu, 1 Aug 2002, Florian Weimer wrote:
> >
> > > "kumar" <kumareshind at gmx.net> writes:
> > >
> > > > I had seen some recommendations for and against that these vulnerabilities
> > > > affects OpenSSH.
> > >
> > > Protocol 2 RSA public key/host based authentication calls OpenSSL's
> > > RSA_verify, which ueses the ASN.1 parser internally. Exploiting
> > > CAN-2002-0659 still requires that the SSH2 public key has been stored
> > > on the SSH server, so no anonymous attacks are possible in typical
> > > contexts.
> > >
> > >
> >
> > _______________________________________________
> > openssh-unix-dev at mindrot.org mailing list
> > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
> >
>
>
>
More information about the openssh-unix-dev
mailing list