Re: Don't panic (ssh)
On Mon, Jan 14, 2002 at 11:07:38AM +0000, Iain Tatch wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 14 January 2002 at 10:35:17 Thomas Seyrat wrote:
>
> TS> Not if your SSH daemon is up to date :-)
>
> Is the SSHD in the latest potato fully up-to-date, though? I am a very
> recent convert to Debian, having been an avid Slackware fan for the last
> seven years. However one of my (very old) Slack boxen was compromised on
> Christmas Day via the sshd CRC32 vulnerability and I decided to replace it
> with Debian, a distro which has seriously impressed me.
>
> Not wanting the same problem to reoccur, after installation &
> configuration I checked my version of sshd. As far as I could ascertain
> the sshd which comes with the current potato release is OpenSSH
> 1.something (can't say exactly what now as I've removed it and my notes
> are all at home), however iirc it was only using version 1 of the SSH
> protocols, which leaves the vulnerability in place.
>
> I removed the Debian SSH package & manually installed OpenSSH 3.0.2p1
> which is invulnerable (so far!) to all known vulnerabilities as long as
> version 1 of the SSH protocol isn't used, even as a fallback.
>
> Have I missed something and was I already OK, or is the current stable potato
> release shipping with a potential ssh security hole?
AFAIK, all SSH1 connections are vulnerable to the CRC32 attack. Thus you need to use SSH2 protocol. OpenSSH supports SSH2. You need different keys though, as SSH2 so far does not support RSA keypairs and needs DSA keys.
Anyone with more indepth knowledge like to coment?
Crispin
Reply to: