[OT] Security hole in PuTTY (Windows ssh client)
stheg olloydson
stheg_olloydson at yahoo.com
Mon Aug 16 17:06:29 PDT 2004
it was said:
> I think what you are saying is that if you use PuTTY as a client
> application that you should be concerned about what server you
> connect to? From what you are saying, I suspect that if the only
> use is to connect to your own (FreeBSD) server, you are probably ok?
>
> Jay O'Brien
Hello,
To quote from the link:
In SSH2, an attacker impersonating a trusted host can launch an attack
before the client has the ability to determine the difference between
the trusted and fake host. This attack is performed before host key
verification.
Presuming one were connecting over "private" network IP space by IP
address only, then I believe you are correct. I can imagine scenarios
in which if one were to connect over the Internet or even into a
different network segment using DNS that one would be at risk.
The vendor has a patched the hole and released 0.55, recommending all
users update. If I were using this software, I would take their advice.
Note: Apparently, a "Unix" version exists, and the source code is
available under the MIT Licence. So I guess my post was "completely"
OT.
HTH,
Stheg
__________________________________
Do you Yahoo!?
Y! Messenger - Communicate in real time. Download now.
http://messenger.yahoo.com
More information about the freebsd-questions
mailing list