Openssl and openssh

Markus Friedl Markus.Friedl at
Mon Aug 5 19:17:58 EST 2002

On Thu, Aug 01, 2002 at 05:08:24PM +0200, Florian Weimer wrote:
> "kumar" <kumareshind at> writes:
> > I had seen some recommendations for and against that these vulnerabilities
> > affects OpenSSH.
> Protocol 2 RSA public key/host based authentication calls OpenSSL's
> RSA_verify, which ueses the ASN.1 parser internally.  Exploiting
> CAN-2002-0659 still requires that the SSH2 public key has been stored
> on the SSH server, so no anonymous attacks are possible in typical
> contexts.

we will probably try this in the future:

More information about the openssh-unix-dev mailing list