OpenSSL vulnerability...

Markus Friedl markus at openbsd.org
Tue Oct 7 05:28:42 EST 2003


yes, if random people can modify root's private key.

On Mon, Oct 06, 2003 at 01:04:39PM -0400, Asif Iqbal wrote:
> 
> We login with RSA key sometimes as root. So should we be concern ?
> 
> On Sat, 4 Oct 2003, Markus Friedl wrote:
> 
> > On Thu, Oct 02, 2003 at 04:32:56PM -0400, Asif Iqbal wrote:
> > > On Tue, 30 Sep 2003, Markus Friedl wrote:
> > >
> > > > On Tue, Sep 30, 2003 at 12:06:30PM -0500, hayward at slothmud.org wrote:
> > > > > Does OpenSSH use OpenSSL in a way in which it would be vulnerable to the
> > > > > OpenSSL vulnerabilities announced today?    Namely the ASN.1 parsing
> > > > > problem and the malformed key bugs?
> > > >
> > > > no, we avoid the OpenSSL ASN.1 code for signature verification
> > > > and we don't support x509.
> > > >
> > > > only reading of _private_ keys triggers the ASN.1 code
> > > > in OpenSSH.
> > >
> > > Does this statement encompass login with RSA keys ?
> >
> > the 1st: yes
> >
> > 2nd: sshd reads _private_ keys only when reading the hostkey.
> >
> 
> -- 
> Asif Iqbal
> http://pgpkeys.mit.edu:11371/pks/lookup?op=get&search=0x8B686E08
> There's no place like 127.0.0.1
> 
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev




More information about the openssh-unix-dev mailing list