| |||||||||||||
Debian, OpenSSL, and a lack of cooperationDebian, OpenSSL, and a lack of cooperationPosted May 18, 2008 15:47 UTC (Sun) by lbt (subscriber, #29672)Parent article: Debian, OpenSSL, and a lack of cooperation
Is this not serious enough to warrant the creation of a new protocol version? ssh protocol 2.2 or 3? Yes it will hurt. Hard luck; this was a big mistake. Anyone blaming 'Debian' is foolish in the extreme; this could have happened in any distro. It's not about Debian, it's about Linux / GNU/Linux / BSD and friends.
(Log in to post comments)
Debian, OpenSSL, and a lack of cooperation Posted May 18, 2008 18:26 UTC (Sun) by mmarsh (subscriber, #17029) [Link] This had nothing to do with the protocol, it was a question of a single implementation's PRNG.
Debian, OpenSSL, and a lack of cooperation Posted May 19, 2008 13:21 UTC (Mon) by lbt (subscriber, #29672) [Link] I know. However this has essentially exposed a massive number of protocol 2 implementations. If I run a non-debian ssh server I still need to upgrade to an sshd that checks the blacklist right? Since a debian using user could have sent me her debian-generated weak public key? That account is now unsafe? So if I make or allow a protocol 2 connection on a non-debian machine am I safe? Maybe; maybe not. So bump the protocol and rest assured that anything accepting or making a protocol 2+ connection was implemented after the faulty PRNG debacle and move on. Would it also avoid the blacklist - no blacklist lookup needed for protocol 2+ ? I am not, by any means, a naive user - and yet I can't be sure I've correctly updated all my systems. The fix is complex and subject to human error.
|
|||||||||||||