[ale] Known SSH exploits?

Dana Powers dana at slothlovechunk.org
Mon Oct 14 07:55:15 EDT 2002


Well, for one, if you are going to try to keep your company nameless,
you should a) probably not send from a corporate account, b) at least
remove the give-away .sig .
I mean, how hard is it to just 'telnet' to an external machine and
mail from there ;)

Seriously though, SSH has had its share of bug exploits, but like most
other projects, if you keep them up to date, you'll be ahead of the
curve. As for algorithmic exploits, yes, the original SSH protocol,
version 1, has been shown to be vulnerable in a few ways. Most people
feel very safe with SSH protocol 2 using the current OpenSSH, however.
There was a week or so, fairly recently, where it seemed like there
was a new ssh exploit every day - Im not sure why this was, but that
may be the stem of uncertainty your employer is clinging to.

dpk

----- Original Message -----
From: "Jeff Layton" <jeffrey.b.layton at lmco.com>
To: ale at ale.org
To: <ale at ale.org>
Sent: Monday, October 14, 2002 7:26 AM
Subject: [ale] Known SSH exploits?


> Good morning,
>
>    Corporate security where I work (who shall remain nameless
> for the moment :) has decreed that SSH is to be outlawed because
> there are known exploits. I'm starting to do a little investigation
> on this issue, but I know there are some security experts on the
> list who might be able to shed some light on this (Bob T. are you
> there? :)
>    Just to add a little comedy to your morning, SSH is outlawed,
> but telnet is allowed and encouraged.
>
>
> TIA,
>
> Jeff
>
>
> --
>
> Jeff Layton
> Senior Engineer
> Lockheed-Martin Aeronautical Company - Marietta
> email: jeffrey.b.layton at lmco.com
>
> "Is it possible to overclock a cattle prod?" - Irv Mullins
>
> This email may contain confidential information. If you have
received this
> email in error, please delete it immediately, and inform me of the
mistake by
> return email. Any form of reproduction, or further dissemination of
this
> email is strictly prohibited. Also, please note that opinions
expressed in
> this email are those of the author, and are not necessarily those of
the
> Lockheed-Martin Corporation.
>
>
>
>
> ---
> This message has been sent through the ALE general discussion list.
> See http://www.ale.org/mailing-lists.shtml for more info. Problems
should be
> sent to listmaster at ale dot org.
>
>
>


---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.






More information about the Ale mailing list