[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [linux-security] Weaknesses in the SSH protocol
On Fri, Apr 06, 2001 at 01:40:19PM -0700, Martin Siegert wrote:
> Topic
> =====
> Possible to determine password length
>
> Problem description
> ===================
> Weaknesses in the SSH protocols can be used by a passive attacker to deduce
> information about passwords entered over an encrypted connection. This
> information can be used to reduce the number of possible solutions which
> need to be tested to perform a brute-force attack. This reduces the amount
> of time and resources required to mount such an attack successfully.
>
> OpenSSH 2.5.1 and 2.5.2 include modifications which, while not completely
> resolving this problem, reduce the risks by changing certain server
> behaviors to make passive analysis more difficult.
>
<snip>
>
> RedHat 6.x
> ----------
> RedHat 6.x did not come with openssh. I have rebuild the RedHat 7 rpms
> for RedHat 6.x (for x < 2 you will have to upgrade you initscript package
> in order to use this: rpm -Fvh initscripts-5.00-1.i386.rpm). In order to
> use these packages you must upgrade the openssl package to version 0.9.6.
I have recompiled the openssh rpms to work with RedHat's version of
openssl for RedHat 6.x (openssl-0.9.5a-2.6.x-i386.rpm). You can find
the new packages on sphinx in /vol/vol1/distrib/redhat/contrib or
get them directly from ACS' SSH web page at
http://www.sfu.ca/acs/ssh/ssh_linux.html