Openssl and openssh
Florian Weimer
Weimer at CERT.Uni-Stuttgart.DE
Fri Aug 2 06:37:15 EST 2002
ew-ssh at kegger.national-security.net writes:
> Ahh, ok; thank you. So basically only those servers who have public key
> entries in my authorized_hosts[2] would be able to exploit the ssl
> vulnerability? I suppose those who have an entry in my authorized_keys
> already get access to the box, so why exploit it.
Two things:
- gaining root privileges
- public key authentication might only grant non-interactive access
(using "command=")
But I agree that such a vulnerability is not too dangerous, given the
sorry state of local security on UNIX-like systems in general.
--
Florian Weimer Weimer at CERT.Uni-Stuttgart.DE
University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT fax +49-711-685-5898
More information about the openssh-unix-dev
mailing list