OpenSSH 3.4p1 and OpenSSL
Mark_A_Khan at raytheon.com
Mark_A_Khan at raytheon.com
Tue Oct 14 07:14:31 EST 2003
Ladies and Gentlemen;
I have multiple systems where all I
can find is the OpenSSH 3.4p1 installed without the OpenSSL libraries. I
have other systems that have OpenSSH3.4p1 with OpenSSL 0.9.6e and other systems with OpenSSH 3.6.1p1 and OpenSSL 0.9.7b installed.
I am trying to respond to the following IAVA CERT Advisory CA-2003-26 Multiple Vulnerabilities in SSL/TLS
Implementations Original issue date: October 1, 2003
* OpenSSL versions prior to 0.9.7c and 0.9.6k
* Multiple SSL/TLS implementations
* SSLeay library
If someone could please take the time to answer the following questions, I
would greatly appreciate it.
1. Does OpenSSH 3.4p1 need the OpenSSL libraries to encrypt the data so
that it can't been seen?
2. If OpenSSH 3.4p1 does not need the OpenSSL libraries to encrypt the
data so that it can't been seen, then what is the OpenSSL libraries used
for?
3. I installed the OpenSSH3.4p1 on a Solaris 8 system without the OpenSSL
libraries. Once installed I was able to do the following:
1. Started snoop in a window. snoop port 22
1. I then executed the following command from another window :
/usr/local/bin/ssh localhost -l mak
2. I logged in.
3. When I checked the snoop output there was nothing!
What am I missing here?
Should snoop have reported output even if it WAS or was NOT encrypted?
How can I find out what version of the OpenSSL libraries are being used by
the OpenSSH?
How do I test OpenSSH to make sure it is using the OpenSSL libraries?
What are the OpenSSL libraries used for?
I have theorized (guessed) the following:
OpenSSH provides a somewhat generic encrypted secure "tunnel or
connection" between systems.
OpenSSL provides a higher level or grade of encryption of the data being
passed thru the "tunnel or connection" between the systems.
I am planning on updating the libraries on those systems that had previous
version of OpenSSL mentioned above with the openssl 0.9.7c that is suppose
to address the IAVA. Does this mean I will have to recompile the SSH
software on those systems?
Any and all help would be greatly appreciated!
Respectfully;
Mark Khan
More information about the openssh-unix-dev
mailing list