On Fri, 7 Jul 2000, Benjamin Scott <[EMAIL PROTECTED]> wrote:
> On Fri, 7 Jul 2000, Jeffry Smith wrote:
>
> Hmmm. According to http://www.openssh.com/goals.html:
>
> > [SSH] Protocol 2 was invented to avoid the patent issues regarding RSA,
> > and to fix the CRC data integrity problem that SSH1 has. By using the
> > asymmetric DSA and DH algorithms, protocol 2 avoids all patents.
>
> Not that I really care much about RSA's patent, but this made me feel better
> when I upgraded to OpenSSH V2. Now I'm feeling confused.
It uses Diffie Hillman instead of RSA, right?
> > The issues are not with patents but with the fact that US sites often
> > compile against RSARef which has buffer overflow problems.
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> I didn't know that. Wonderful. Something *else* to worry about.
>
> How can I tell if the version I downloaded is linked against RSARef, as
> opposed to some other implementation?
Run ssh -v and look for "Does not use RSAREF"
# ssh -v
SSH Version 1.2.27 [i486-unknown-linux], protocol version 1.5.
Standard version. Does not use RSAREF.
Usage: ssh [options] host [command]
Options:
-l user Log in using this user name.
..
It is a little harder to check sshd for this. I vaguely remember
figuring it out somehow (probably I looked at the source). If the ssh
and sshd came together they were likely built the same way (though sshd
is the one you really want to protect against buffer overflow).
Karl Runge
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
