[SOLVED] OpenSSH and OpenSSL

mpop · 04-10-2014, 07:04 PM

I been hearing some conflicting information about the OpenSSL issue as of late. So I thought I would ask here on the slackware forum.

My question is I heard that if you had a vulnerable openssl installed at the time you generated your openssh keys your keys would be vulnerable. And that you should regenerate them. Others have said that openssh does not use openssl. So my question is what is the low down, are my logins still vulnerable on the servers that I have my keys on?

My setup is Slackware 14.1 (I have, as of today, updated both the openssl and openssh packages) I have disabled all password logins to all computers I control (along with turning off root login via ssh)

JWJones · 04-10-2014, 08:15 PM

This does not affect OpenSSH at all. See here straight from the man himself:

http://undeadly.org/cgi?action=artic...20140408063423

JWJones · 04-10-2014, 08:23 PM

Furthermore:

Quote:

After patching, private keys and certificates exposed to services running
this code (for example web/mail server SSL certificates) should be replaced
and old certificates revoked.

Only SSL/TLS services are affected. Software that uses libcrypto alone
is not affected. In particular, ssh/sshd are not affected and there
is no need to regenerate SSH host keys that have not otherwise been
exposed.

http://ftp.openbsd.org/pub/OpenBSD/p..._openssl.patch

mpop · 04-10-2014, 08:33 PM

Thanks guys, it is appreciated.