Slashdot Mirror

← Back to Stories (view on slashdot.org)

SSH Taking Stand On Vulnerability

Posted by Hemos on from the spinning-the-press dept.

jeffy124 writes "SSH Communications is recognizing the vulnerability claim made by UC Berkeley researchers earlier this week. They say it is not a practical threat to the ssh protocol, people can still remain confident in keeping communications over ssh private. While this is true IMO, they are open to and will be researching techniques that would make the standard stronger, along with hopes of lessening this vulnerability."

4 of 90 comments (clear)

  1. Do they do the commercial one? by codeforprofit2 · · Score: 2, Insightful

    How is it with openssh?

  2. So what.. by eye.likeJava() · · Score: 4, Insightful

    It is a sort of exploit, but it goes close along the lines of "well what happens if the hacker calls halt on the machine and dumps memory" like any program can do anything much about that..

    If you have people capable of reconstructing passwords from key timings then you have got yourself a problem.

    The only solution is to inject fake data..

    --
    ... although I also like C#..
  3. Another solution by Falsch+Freiheit · · Score: 3, Insightful
    Use the key (RSA or DSA) authentication as your normal method of authentication. Heck, if you set up the ssh agent it's even more convenient than password based authentication.

    And I did a quick check (tcpdump in one window, ssh in in another window) and there's no packet sent for each stroke of my password, one packet is sent when I hit <enter> at the end of my password. I suppose length could probably still be figured out from those packets, though. I'm running OpenSSH 2.5.2p2 (the version that came from RedHat with RH 7.1)

  4. Re:OpenSSh - no problem by Anonymous Coward · · Score: 1, Insightful

    TCP segment, not packet.