Exactly, OpenSSH depends on OpenSSL, but should never use the buggy code. Some details in the answer here: http://superuser.com/questions/739349/does-heartbleed-affect-ssh-keys
On 04/10/2014 07:00 PM, Randolph Maaßen wrote: > The Heartbleed bug is in the Heartbeat function of TSL (a second keep > alive). OpenSSL does not use TLS for transport security, it uses its > own Protokoll for security. > > 2014-04-10 12:51 GMT+02:00 Nilesh Govindrajan <m...@nileshgr.com>: >> On Thu, Apr 10, 2014 at 4:22 PM, Matthew Finkel >> <matthew.fin...@gmail.com> wrote: >>> On Thu, Apr 10, 2014 at 05:53:44PM +0800, J?n Zahornadsk? wrote: >>>> On 04/10/2014 05:03 PM, Adam Carter wrote: >>>>> >>>>> What surprises me here is OpenSSH. It's not supposed to use OpenSSL >>>>> but Debian update process suggests to restart it after updating >>>>> OpenSSL to a fixed version. Is it an overkill on their part? It >>>>> might confuse admins. >>>>> >>>>> >>>>> adam@proxy ~ $ ldd /usr/sbin/sshd >>>>> linux-vdso.so.1 (0x00007fffb068e000) >>>>> libwrap.so.0 => /lib64/libwrap.so.0 (0x00007f68db1e6000) >>>>> libpam.so.0 => /lib64/libpam.so.0 (0x00007f68dafd8000) >>>>> libcrypto.so.1.0.0 => /usr/lib64/libcrypto.so.1.0.0 >>>>> (0x00007f68dabf5000) >>>>> libutil.so.1 => /lib64/libutil.so.1 (0x00007f68da9f2000) >>>>> libz.so.1 => /lib64/libz.so.1 (0x00007f68da7db000) >>>>> libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007f68da5a4000) >>>>> libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f68da387000) >>>>> libc.so.6 => /lib64/libc.so.6 (0x00007f68d9fd7000) >>>>> libgcc_s.so.1 => >>>>> /usr/lib/gcc/x86_64-pc-linux-gnu/4.8.2/libgcc_s.so.1 (0x00007f68d9dc0000) >>>>> libdl.so.2 => /lib64/libdl.so.2 (0x00007f68d9bbc000) >>>>> /lib64/ld-linux-x86-64.so.2 (0x00007f68db3f1000) >>>>> adam@proxy ~ $ qfile /usr/lib64/libcrypto.so.1.0.0 >>>>> dev-libs/openssl (/usr/lib64/libcrypto.so.1.0.0) >>>>> adam@proxy ~ $ >>>>> >>>>> So OpenSSH clearly IS using OpenSSL, and you need to restart sshd after >>>>> upgrading OpenSSL. >>>> >>>> As far as I know, it doesn't use it for the communication itself, just >>>> some key generations, so it shouldn't be affected by this bug. But I >>>> guess better safe than sorry... >>>> >>> >>> Right. heartbleed does not directly affect openssh, but openssh uses >>> openssl and it's good practice to keep the shared libraries on-disk and >>> the shared libraries in-memory in sync. >>> >> >> >> How is OpenSSH not affected? >> > > >
