Date: Mon, 16 Aug 2004 17:06:28 -0700 (PDT) From: stheg olloydson <stheg_olloydson@yahoo.com> To: Jay O'Brien <jayobrien@att.net> Cc: questions@freebsd.org Subject: Re: [OT] Security hole in PuTTY (Windows ssh client) Message-ID: <20040817000628.46249.qmail@web61302.mail.yahoo.com> In-Reply-To: <412141E7.60205@att.net>
next in thread | previous in thread | raw e-mail | index | archive | help
it was said: > I think what you are saying is that if you use PuTTY as a client > application that you should be concerned about what server you > connect to? From what you are saying, I suspect that if the only > use is to connect to your own (FreeBSD) server, you are probably ok? > > Jay O'Brien Hello, To quote from the link: In SSH2, an attacker impersonating a trusted host can launch an attack before the client has the ability to determine the difference between the trusted and fake host. This attack is performed before host key verification. Presuming one were connecting over "private" network IP space by IP address only, then I believe you are correct. I can imagine scenarios in which if one were to connect over the Internet or even into a different network segment using DNS that one would be at risk. The vendor has a patched the hole and released 0.55, recommending all users update. If I were using this software, I would take their advice. Note: Apparently, a "Unix" version exists, and the source code is available under the MIT Licence. So I guess my post was "completely" OT. HTH, Stheg __________________________________ Do you Yahoo!? Y! Messenger - Communicate in real time. Download now. http://messenger.yahoo.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040817000628.46249.qmail>