Full Disclosure mailing list archives
Re: new ssh exploit?
From: Bennett Todd <bet () rahul net>
Date: Tue, 16 Sep 2003 16:10:09 -0400
2003-09-16T15:55:07 Ron DuFresne:
Don't see many posts from you these day Bennett, good to see you live <smile>.
It's gotten busy out, surely it has.
Got a pointer?
Whenever I can't find some ssh implementation, I go shopping on the "Alternatives" link section in www.openssh.com. The lsh link there, <URL:http://www.net.lut.ac.uk/psst/>, seems current and correct.
I'd seek out myselfm, but have a huge project that's eating me up at present.
lsh has several library dependancies, so there's a little bit of go back and back before it builds. So hold off looking at it until you've got a little more time:-). Once it does build, lshd is easy to get going, lsh takes a little bit more fiddling --- its known_hosts facility is in a state of flux, let us say.
SSH and openssl is fast heading down the upgrade,patch,upgrade,patch scenerio of sendmail and wu_ftpd in the 90's.
This last one broke my camel's back. OpenSSH sshd begone. And so it has. Cool!
It's ssh v2 only; I think that's a transition whose time has come.This I will agree to fully, though, since we see the R* commands persist, and ftpd refuses to die, the list goes on.
Different constraints in different environments. I don't install ftp servers, or rsh clients or servers, on my own systems. On other systems, with external constraints forcing the use of such stuff, I do the best I can. I'm a lot more concerned about the server side than the client side, though. Right now I wouldn't run an OpenSSH sshd exposed to the internet; lshd is fine there. People who can't get sshv2 clients can go away. I expect I'll be keeping around an OpenSSH ssh client for some time.
Don't a number of appliances also use ssh1 and are not upgradeable?
Yup. Maybe some of 'em are vulnerable, too. -Bennett
Attachment:
_bin
Description:
Current thread:
- Re: new ssh exploit?, (continued)
- Re: new ssh exploit? christopher neitzert (Sep 15)
- Re: new ssh exploit? Adam Shostack (Sep 15)
- Re: new ssh exploit? Justin Kreger (Sep 15)
- Re: new ssh exploit? Ron DuFresne (Sep 16)
- Re: new ssh exploit? Jonathan A. Zdziarski (Sep 16)
- Re: new ssh exploit? Valdis . Kletnieks (Sep 17)
- Re: new ssh exploit? Valdis . Kletnieks (Sep 17)
- Re: new ssh exploit? Adam Shostack (Sep 15)
- Re: new ssh exploit? christopher neitzert (Sep 15)
- Re: new ssh exploit? Bennett Todd (Sep 16)
- Re: new ssh exploit? Ron DuFresne (Sep 16)
- Re: new ssh exploit? Bennett Todd (Sep 16)
- Re: new ssh exploit? Blue Boar (Sep 16)
- Re: new ssh exploit? Bennett Todd (Sep 17)
- Re: new ssh exploit? Bennett Todd (Sep 18)
- Re: new ssh exploit? Damian Gerow (Sep 18)
- Re: new ssh exploit? Bennett Todd (Sep 18)
- Re: new ssh exploit? Damian Gerow (Sep 18)