SSH Security: Is this not news?

David A. Sinck plug-discuss@lists.plug.phoenix.az.us
Wed, 18 Dec 2002 11:16:45 -0700


\_ SMTP quoth Eric Lee Green on 12/18/2002 10:17 as having spake thusly:
\_
\_ On Wednesday 18 December 2002 09:40 am, J.Francois wrote:
\_ > I was pretty busy yesterday so if this was posted just ignore me.
\_ > If it wasn't posted, then its a good heads up.
\_ >
\_ > Cert SSH Advisory - All Versions on All Platforms:
\_ > http://www.cert.org/advisories/CA-2002-36.html
\_ > http://www.kb.cert.org/vuls/id/389665
\_ 
\_ This is basically a man-in-the-middle attack at initial key
\_ chat. 

I missed that point when I read the cert link, probably because I
wasn't up on the SSH phase names.  

OTOH, I did see that

"From my testing it seems that the current version of OpenSSH (3.5) is
not vulnerable to these problems, and some limited testing shows that
no version of OpenSSH is vulnerable."

YMMV.

David