[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [linux-security] Weaknesses in the SSH protocol



On Fri, Apr 06, 2001 at 01:40:19PM -0700, Martin Siegert wrote:
> Topic
> =====
> Possible to determine password length
> 
> Problem description
> ===================
> Weaknesses in the SSH protocols can be used by a passive attacker to deduce
> information about passwords entered over an encrypted connection.  This
> information can be used to reduce the number of possible solutions which
> need to be tested to perform a brute-force attack. This reduces the amount
> of time and resources required to mount such an attack successfully.
> 
> OpenSSH 2.5.1 and 2.5.2 include modifications which, while not completely
> resolving this problem, reduce the risks by changing certain server
> behaviors to make passive analysis more difficult.
> 
<snip>
> 
> RedHat 6.x
> ----------
> RedHat 6.x did not come with openssh. I have rebuild the RedHat 7 rpms
> for RedHat 6.x (for x < 2 you will have to upgrade you initscript package
> in order to use this: rpm -Fvh initscripts-5.00-1.i386.rpm). In order to
> use these packages you must upgrade the openssl package to version 0.9.6.

I have recompiled the openssh rpms to work with RedHat's version of 
openssl for RedHat 6.x (openssl-0.9.5a-2.6.x-i386.rpm). You can find
the new packages on sphinx in /vol/vol1/distrib/redhat/contrib or
get them directly from ACS' SSH web page at

http://www.sfu.ca/acs/ssh/ssh_linux.html