DSA-1571 and GSSAPI
Hi all!
I was wondering how bad this actually is and it looks extremely horrible. In
practice, all data transmitter over the wire for the last two years and be
snooped upon (if someone has captured it - and the paranoid must assume
someone has).
Trusting on the security of ssh, we have, for example, used ssh to transmit
data from server to server, including such sensitive information as Heimdal
database master key... Am I correct in assuming this key has been
compromised? And along with it all the Heimdal passwords...
However, ever since we started using Heimdal, we have used GSSAPI
authentication by default, which, to my understanding, does not rely on SSH
host or user keys, but bases all its crypto on Kerberos. Does this mean data
transmitted over GSSAPI-authenticated links is still secure? (Not that it
matters much - there is no way of making sure the default (GSSAPI) was
*always* used when transmitting sensitive data.
By the way, if (since?) all the data ever transmitted over any ssh link
secured by a weak key is compromised, it means that every single GPG
passphrase (or any other password) ever transmitted over any of these links
is also compromised. Just count how many times you've used GPG over one of
the weak links...
Cheers (looks like a cheerful weekend to come indeed)...
Juha
Reply to: