Open SSH hacked, patch issued

User avatar
elecplus

16 Jan 2016, 22:46

http://www.linuxinsider.com/edpick/82991.html
I know a lot of users here are Linux gurus. Maybe this will be of interest.

User avatar
klikkyklik

16 Jan 2016, 23:02

I saw that fix come through the Debian stable security repo recently. Yes, there was a problem and it's good that it's buttoned up, but if there is anyone that EVER uses an SSH client to connect to untrusted servers, I'd like to know why. :)

In other words, no biggy in the scope of things.

User avatar
scottc

17 Jan 2016, 08:58

Git ofen uses SSH as it's transport. An attacker would have to simply swap DNS records on a local router to point github.com to a malicious server and I bet many people would ignore the warning about the changed server signature.

User avatar
matt3o
-[°_°]-

17 Jan 2016, 11:44

my ssh client won't even log me in if the server signature changes...

User avatar
scottc

17 Jan 2016, 11:47

By default none log you in unless you've got StrictHostChecking no set, but in situations where DNS names are reused over and over (like tearing down and bringing up servers in AWS) you quickly run into situations where users might set that or ignore the warnings.

Plus, you never know when a legitimate friendly server has been compromised!

User avatar
webwit
Wild Duck

17 Jan 2016, 12:08

That would be like a burglar who is already in your house, trying to get your key of the front door.

User avatar
scottc

17 Jan 2016, 12:13

Or a key that opens every door on your employer's street if you've got automated systems and it's infeasible to have an individual key for each...

Post Reply

Return to “Off-topic”