In article [EMAIL PROTECTED],
Kari Hurtta [EMAIL PROTECTED] wrote:
1){
2) static time_t last_kill_time = 0;
3) if (time(NULL) - last_kill_time 60 getppid() != 1)
4){
5) last_kill_time = time(NULL);
6) kill(SIGALRM, getppid());
7) }
8)
Hi!
1){
2) static time_t last_kill_time = 0;
3) if (time(NULL) - last_kill_time 60 getppid() != 1)
4){
5) last_kill_time = time(NULL);
6) kill(SIGALRM, getppid());
7) }
8) fatal("Bad result from rsa_private_decrypt");
9)}
1){
2) static time_t last_kill_time = 0;
3) if (time(NULL) - last_kill_time 60 getppid() != 1)
4){
5) last_kill_time = time(NULL);
6) kill(SIGALRM, getppid());
7) }
8) fatal("Bad result from rsa_private_decrypt");
9)}
actually...if
-- With the patch, the lifespan of the server key still does not go
below one minute. As mentioned in CORE SDI's advisory, the number
of server connections necessary to carry out the attack is
normally very large but "the number of connections given is for
the average case
-- With the patch, the lifespan of the server key still does not go
below one minute. As mentioned in CORE SDI's advisory, the number
of server connections necessary to carry out the attack is
normally very large but "the number of connections given is for
the average
http://www.core-sdi.com/advisories/ssh1_sessionkey_recovery.htm
includes the line of code:
kill(SIGALRM, getppid());
This is contained within what is listed as an "unsupported and
untested patch" developed by SSH.com.
The problem is that the arguments to "kill" are in the wrong order. In