known_hosts vulnerability?
Gabriel M. Elder
eldergabriel at charter.net
Thu May 19 05:30:38 EST 2005
Hey all,
I came across a security news article, referenced by
http://www.linux.org/news, at
http://www.techworld.com/security/news/index.cfm?NewsID=3668
talking about an SSH weakness involving the known_hosts file. I
apologize if this issue has already been addressed, but the mailing list
archives didn't turn up anything when i tried searching for something
relevant. So; not to knee-jerk or anything, but is anyone currently
looking into this? Does this need to be addressed, or has it already
been taken care of? Offhand, on a scale of 0 - 11, this would seem to
rate kinda high, ~7. Am i off-base?
>From the article: "a known_hosts hashing scheme proposed by MIT has been
implemented in OpenSSH 4.0 and in a patch for earlier versions of SSH".
Looking at my own ~/.ssh/known_hosts file, the entries appear to be
encrypted, by default; i assume this is a Good Thing. Installed ssh
package = openssh-server-3.9p1-8.0.1. Shall i now resume my warm fuzzies
and assume all is snug and secure in openssh-land?
More information about the openssh-unix-dev
mailing list