Re: Don't panic (ssh)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 14 January 2002 at 10:35:17 Thomas Seyrat wrote:
TS> Not if your SSH daemon is up to date :-)
Is the SSHD in the latest potato fully up-to-date, though? I am a very
recent convert to Debian, having been an avid Slackware fan for the last
seven years. However one of my (very old) Slack boxen was compromised on
Christmas Day via the sshd CRC32 vulnerability and I decided to replace it
with Debian, a distro which has seriously impressed me.
Not wanting the same problem to reoccur, after installation &
configuration I checked my version of sshd. As far as I could ascertain
the sshd which comes with the current potato release is OpenSSH
1.something (can't say exactly what now as I've removed it and my notes
are all at home), however iirc it was only using version 1 of the SSH
protocols, which leaves the vulnerability in place.
I removed the Debian SSH package & manually installed OpenSSH 3.0.2p1
which is invulnerable (so far!) to all known vulnerabilities as long as
version 1 of the SSH protocol isn't used, even as a fallback.
Have I missed something and was I already OK, or is the current stable potato
release shipping with a potential ssh security hole?
Cheers
- --
Iain | PGP mail preferred: pubkey @ www.deepsea.f9.co.uk/misc/iain.asc
Versace & Prada mean nothing to me,
You buy your friends but I'll hate you for free
Rescue Kyoto, boycott Esso/Exxon/Mobil: http://www.stopesso.com
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5i
iQA/AwUBPEK8BWByUNb+aO+GEQJfogCghHz4ajXP81s4OwS2/HOMx8sbXgIAoJLo
moxb226Bpj+mLJ7wp4PVsJbK
=wRJH
-----END PGP SIGNATURE-----
Reply to: