On Sun, Jan 28, 2001 at 07:51:51PM -0600, Jeffrey Taylor wrote:
This "bug" is also in OpenSSH 2.1.1. Maybe it is a feature.
Jeffrey
Then it's rather dangerous feature. Given the existence of this MITM "tool" it's a straigtforward road to security compromise. -Kastus
Quoting Konstantin (Kastus) Shchuka <kastus@tsoft.com>:
On Sun, Jan 28, 2001 at 02:13:45PM -0800, Ben Rosenberg wrote:
Just an FYI to everyone. I wouldn't bother ordering anything from out of country. SuSE 7.1 will not have different versions this time. All the crypto software is included. So whatever country you are in ..you get the full deal with no downloads..I am not saying we are shipping every single crypto package under the sun..but things like openssl and openssh will be included. I haven't had time to look at the other stuff yet. I am busy fighting with CUPS under 7.1 .. it don't likey my HP 600. :(
Sorry for that, Ben. As you mentioned openssh here, let me draw your attention that ssh-keygen is half-broken in 2.3.0.p1. It doesn't show fingerprints of dsa keys. One may say it's not big deal. But how can I make sure that I am logging to the real server for the first time when it shows its key fingerprint and I am not able to compare it?
The bug was in 2.2.0 and wasn't fixed in 2.3.0p1. :-(