ssh Access from the internet

[Robert Brockway]

On Wed, 14 May 2008, Mike Oliver wrote:

> Um -- could someone please explain the implications of this
> to someone who doesn't know much about OpenSSL?  I'm not running
> any servers on my machine and don't think I ever *knowingly*
> generated any openssl keys.  Does that mean I don't have a problem?
>
> What I specifically want to make sure is, if I logged into
> a secure website (https) while I had the vulnerable openssl
> installed, does the vulnerability matter?  Or does it matter only
> if the *server* is running the vulnerable version?

Morning.  It isn't whether the host is a client or a server which is 
important.  What is important is whether the host that created the 
cryptographic key was vulnerable at the time the key was created.  Both 
clients and servers for various protocols will generate keys.

If you have never generated a key pair then you shouldn't need to do 
anything.  You should still be concerned about the vulnerability though as 
sites you use may be impacted.

I can't think of any software that would generate a key pair for the user 
without mentioning it to them.

For an SSL protected website, what is important is whether their key was 
genated on a vulnerable box or not, or whether the cert was signed by a 
vulnerable box.  It is their sysadmins that need to worry.  It seems to me 
that for an SSL protected website the worst case is that someone guesses 
their private key and starts masquerading as them.  A serious problem to 
be sure.

Bottom line is regular users who have never generate key pairs shouldn't 
need to do anything but should still be concerned about the problem.

HTH.

Cheers,

Rob

-- 
"With sufficient thrust, pigs fly just fine..."
 	-- RFC 1925 "The Twelve Networking Truths"
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists