LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Debian, OpenSSL, and a lack of cooperation

Debian, OpenSSL, and a lack of cooperation

Posted May 19, 2008 13:21 UTC (Mon) by lbt (subscriber, #29672)
In reply to: Debian, OpenSSL, and a lack of cooperation by mmarsh
Parent article: Debian, OpenSSL, and a lack of cooperation 

I know.
However this has essentially exposed a massive number of protocol 2 implementations. If I run
a non-debian ssh server I still need to upgrade to an sshd that checks the blacklist right?
Since a debian using user could have sent me her debian-generated weak public key? That
account is now unsafe?

So if I make or allow a protocol 2 connection on a non-debian machine am I safe? Maybe; maybe
not.

So bump the protocol and rest assured that anything accepting or making a protocol 2+
connection was implemented after the faulty PRNG debacle and move on.

Would it also avoid the blacklist - no blacklist lookup needed for protocol 2+ ?

I am not, by any means, a naive user - and yet I can't be sure I've correctly updated all my
systems. The fix is complex and subject to human error.

(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds