Re: sshd1 allows unencrypted sessions regardless of server policy

From: Pavel Machek (pavelat_private)
Date: Tue Dec 14 1999 - 13:00:21 PST

Next message: Andrea Arcangeli: "[patch] Re: Big problem on 2.0.x?"

Previous message: Iván Arce: "SSH-1.2.27 & RSAREF2 exploit"
Maybe in reply to: Markus Friedl: "sshd1 allows unencrypted sessions regardless of server policy"
Next in thread: der Mouse: "Re: sshd1 allows unencrypted sessions regardless of server policy"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi!

> Because passphrase-less hostkeys are 'encrypted' with cipher "none"
> the code for this cipher is always compiled into the programs.  This
> way the client is free to choose "none" and no server will complain.

And what? Malicious ssh client can make non-encrypted connection. But
malicious ssh client can also send carbon-copy of all communication to
www.cia.org:5000! There's no way to protect from malicious ssh
clients...

> The current version OpenSSH-1.2.1 is not vulnerable.  The obvious

...and I don't see why this is called vulnerability.
								Pavel
--
I'm pavelat_private "In my country we have almost anarchy and I don't care."
Panos Katsaloulis describing me w.r.t. patents me at discussat_private

Next message: Andrea Arcangeli: "[patch] Re: Big problem on 2.0.x?"
Previous message: Iván Arce: "SSH-1.2.27 & RSAREF2 exploit"
Maybe in reply to: Markus Friedl: "sshd1 allows unencrypted sessions regardless of server policy"
Next in thread: der Mouse: "Re: sshd1 allows unencrypted sessions regardless of server policy"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:21:02 PDT