Openssl and openssh

Florian Weimer Weimer at CERT.Uni-Stuttgart.DE
Fri Aug 2 06:37:15 EST 2002

ew-ssh at writes:

> Ahh, ok; thank you.  So basically only those servers who have public key 
> entries in my authorized_hosts[2] would be able to exploit the ssl 
> vulnerability?  I suppose those who have an entry in my authorized_keys 
> already get access to the box, so why exploit it.

Two things:

  - gaining root privileges

  - public key authentication might only grant non-interactive access
    (using "command=")

But I agree that such a vulnerability is not too dangerous, given the
sorry state of local security on UNIX-like systems in general.

Florian Weimer 	                  Weimer at CERT.Uni-Stuttgart.DE
University of Stuttgart           http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT                          fax +49-711-685-5898

More information about the openssh-unix-dev mailing list