known_hosts vulnerability?
From: Gabriel M. Elder (eldergabriel_at_charter.net)
Date: 05/18/05
- Previous message: Robert Hajime Lanning: "Re: bash_logout and sftp"
- Next in thread: Damien Miller: "Re: known_hosts vulnerability?"
- Reply: Damien Miller: "Re: known_hosts vulnerability?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: secureshell@securityfocus.com, openssh-unix-dev@mindrot.org Date: Wed, 18 May 2005 14:30:38 -0500
Hey all,
I came across a security news article, referenced by
http://www.linux.org/news, at
http://www.techworld.com/security/news/index.cfm?NewsID=3668
talking about an SSH weakness involving the known_hosts file. I
apologize if this issue has already been addressed, but the mailing list
archives didn't turn up anything when i tried searching for something
relevant. So; not to knee-jerk or anything, but is anyone currently
looking into this? Does this need to be addressed, or has it already
been taken care of? Offhand, on a scale of 0 - 11, this would seem to
rate kinda high, ~7. Am i off-base?
>From the article: "a known_hosts hashing scheme proposed by MIT has been
implemented in OpenSSH 4.0 and in a patch for earlier versions of SSH".
Looking at my own ~/.ssh/known_hosts file, the entries appear to be
encrypted, by default; i assume this is a Good Thing. Installed ssh
package = openssh-server-3.9p1-8.0.1. Shall i now resume my warm fuzzies
and assume all is snug and secure in openssh-land?
- Previous message: Robert Hajime Lanning: "Re: bash_logout and sftp"
- Next in thread: Damien Miller: "Re: known_hosts vulnerability?"
- Reply: Damien Miller: "Re: known_hosts vulnerability?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
