| 1 |
Exactly, OpenSSH depends on OpenSSL, but should never use the buggy code. |
| 2 |
|
| 3 |
Some details in the answer here: |
| 4 |
http://superuser.com/questions/739349/does-heartbleed-affect-ssh-keys |
| 5 |
|
| 6 |
|
| 7 |
On 04/10/2014 07:00 PM, Randolph Maaßen wrote: |
| 8 |
> The Heartbleed bug is in the Heartbeat function of TSL (a second keep |
| 9 |
> alive). OpenSSL does not use TLS for transport security, it uses its |
| 10 |
> own Protokoll for security. |
| 11 |
> |
| 12 |
> 2014-04-10 12:51 GMT+02:00 Nilesh Govindrajan <me@××××××××.com>: |
| 13 |
>> On Thu, Apr 10, 2014 at 4:22 PM, Matthew Finkel |
| 14 |
>> <matthew.finkel@×××××.com> wrote: |
| 15 |
>>> On Thu, Apr 10, 2014 at 05:53:44PM +0800, J?n Zahornadsk? wrote: |
| 16 |
>>>> On 04/10/2014 05:03 PM, Adam Carter wrote: |
| 17 |
>>>>> |
| 18 |
>>>>> What surprises me here is OpenSSH. It's not supposed to use OpenSSL |
| 19 |
>>>>> but Debian update process suggests to restart it after updating |
| 20 |
>>>>> OpenSSL to a fixed version. Is it an overkill on their part? It |
| 21 |
>>>>> might confuse admins. |
| 22 |
>>>>> |
| 23 |
>>>>> |
| 24 |
>>>>> adam@proxy ~ $ ldd /usr/sbin/sshd |
| 25 |
>>>>> linux-vdso.so.1 (0x00007fffb068e000) |
| 26 |
>>>>> libwrap.so.0 => /lib64/libwrap.so.0 (0x00007f68db1e6000) |
| 27 |
>>>>> libpam.so.0 => /lib64/libpam.so.0 (0x00007f68dafd8000) |
| 28 |
>>>>> libcrypto.so.1.0.0 => /usr/lib64/libcrypto.so.1.0.0 (0x00007f68dabf5000) |
| 29 |
>>>>> libutil.so.1 => /lib64/libutil.so.1 (0x00007f68da9f2000) |
| 30 |
>>>>> libz.so.1 => /lib64/libz.so.1 (0x00007f68da7db000) |
| 31 |
>>>>> libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007f68da5a4000) |
| 32 |
>>>>> libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f68da387000) |
| 33 |
>>>>> libc.so.6 => /lib64/libc.so.6 (0x00007f68d9fd7000) |
| 34 |
>>>>> libgcc_s.so.1 => |
| 35 |
>>>>> /usr/lib/gcc/x86_64-pc-linux-gnu/4.8.2/libgcc_s.so.1 (0x00007f68d9dc0000) |
| 36 |
>>>>> libdl.so.2 => /lib64/libdl.so.2 (0x00007f68d9bbc000) |
| 37 |
>>>>> /lib64/ld-linux-x86-64.so.2 (0x00007f68db3f1000) |
| 38 |
>>>>> adam@proxy ~ $ qfile /usr/lib64/libcrypto.so.1.0.0 |
| 39 |
>>>>> dev-libs/openssl (/usr/lib64/libcrypto.so.1.0.0) |
| 40 |
>>>>> adam@proxy ~ $ |
| 41 |
>>>>> |
| 42 |
>>>>> So OpenSSH clearly IS using OpenSSL, and you need to restart sshd after |
| 43 |
>>>>> upgrading OpenSSL. |
| 44 |
>>>> |
| 45 |
>>>> As far as I know, it doesn't use it for the communication itself, just |
| 46 |
>>>> some key generations, so it shouldn't be affected by this bug. But I |
| 47 |
>>>> guess better safe than sorry... |
| 48 |
>>>> |
| 49 |
>>> |
| 50 |
>>> Right. heartbleed does not directly affect openssh, but openssh uses |
| 51 |
>>> openssl and it's good practice to keep the shared libraries on-disk and |
| 52 |
>>> the shared libraries in-memory in sync. |
| 53 |
>>> |
| 54 |
>> |
| 55 |
>> |
| 56 |
>> How is OpenSSH not affected? |
| 57 |
>> |
| 58 |
> |
| 59 |
> |
| 60 |
> |
Archives