OpenSSH 3.4p1 and OpenSSL
Darren Tucker
dtucker at zip.com.au
Tue Oct 14 14:19:31 EST 2003
Mark_A_Khan at raytheon.com wrote:
> I have multiple systems where all I
> can find is the OpenSSH 3.4p1 [snip]
> Implementations Original issue date: October 1, 2003
> * OpenSSL versions prior to 0.9.7c and 0.9.6k
> * Multiple SSL/TLS implementations
> * SSLeay library
You should also upgrade OpenSSH or apply the security patch:
http://www.openssh.com/txt/buffer.adv
> If someone could please take the time to answer the following questions, I
> would greatly appreciate it.
> 1. Does OpenSSH 3.4p1 need the OpenSSL libraries to encrypt the data so
> that it can't been seen?
Yes, but just libcrypto.
> 2. If OpenSSH 3.4p1 does not need the OpenSSL libraries to encrypt the
> data so that it can't been seen, then what is the OpenSSL libraries used
> for?
> 3. I installed the OpenSSH3.4p1 on a Solaris 8 system without the OpenSSL
> libraries. Once installed I was able to do the following:
> 1. Started snoop in a window. snoop port 22
> 1. I then executed the following command from another window :
> /usr/local/bin/ssh localhost -l mak
> 2. I logged in.
> 3. When I checked the snoop output there was nothing!
> What am I missing here?
Solaris can't sniff its loopback interface. Try it between 2 boxes.
> Should snoop have reported output even if it WAS or was NOT encrypted?
You'll see the traffic either way but if it's encrypted you won't
(shouldn't!) be able to make sense out of it.
> How can I find out what version of the OpenSSL libraries are being used by
> the OpenSSH?
ssh -V
> How do I test OpenSSH to make sure it is using the OpenSSL libraries?
It won't build without them.
> What are the OpenSSL libraries used for?
> I have theorized (guessed) the following:
> OpenSSH provides a somewhat generic encrypted secure "tunnel or
> connection" between systems.
> OpenSSL provides a higher level or grade of encryption of the data being
> passed thru the "tunnel or connection" between the systems.
OpenSSL is used only for its crypto functions.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list