known_hosts vulnerability?
This is a discussion on known_hosts vulnerability? within the OpenSSH Development forums, part of the Networking and Network Related category; Hey all, I came across a security news article, referenced by http://www.linux.org/news, at http://www.techworld....
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
05-18-2005
|
|||
|
|||
known_hosts vulnerability?
Hey all,
I came across a security news article, referenced by http://www.linux.org/news, at http://www.techworld.com/security/ne...fm?NewsID=3668 talking about an SSH weakness involving the known_hosts file. I apologize if this issue has already been addressed, but the mailing list archives didn't turn up anything when i tried searching for something relevant. So; not to knee-jerk or anything, but is anyone currently looking into this? Does this need to be addressed, or has it already been taken care of? Offhand, on a scale of 0 - 11, this would seem to rate kinda high, ~7. Am i off-base? >From the article: "a known_hosts hashing scheme proposed by MIT has been implemented in OpenSSH 4.0 and in a patch for earlier versions of SSH". Looking at my own ~/.ssh/known_hosts file, the entries appear to be encrypted, by default; i assume this is a Good Thing. Installed ssh package = openssh-server-3.9p1-8.0.1. Shall i now resume my warm fuzzies and assume all is snug and secure in openssh-land? _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@mindrot.org http://www.mindrot.org/mailman/listi...enssh-unix-dev 
|
Linear Mode
