|
Viewing Issue Advanced Details
[ Jump to Notes ]
[ Wiki ]
|
[ View Simple ]
[ Issue History ]
[ Print ]
|
|
ID |
Category |
Severity |
Reproducibility |
Date Submitted |
Last Update |
|
0012656 |
[DCSS] Bug Report |
major |
sometimes |
2021-10-08 13:34 |
2021-10-08 13:34 |
|
|
Reporter |
damerell |
View Status |
public |
|
|
Assigned To |
|
|
Priority |
normal |
Resolution |
open |
Local or Remote |
Remote |
|
Status |
new |
|
Operating System |
Online |
|
Projection |
none |
|
Console or Tiles |
Console |
|
ETA |
none |
Fixed in Branch |
|
Product Branch |
longterm development (0.31+) |
| |
Product Version |
not applicable |
|
|
Summary |
0012656: CAO (and others?) has ancient ssh daemon, probably insecure. |
|
Description |
https://www.openssh.com/releasenotes.html [^] - "This release disables RSA signatures using the SHA-1 hash algorithm by default."
On IRC I saw a report of the practical effects of this in the wild; a user unable to connect with a new OpenSSH to CAO.
The sshd on CAO reports itself as OpenSSH_6.0p1. If true, this is too old for "OpenSSH has supported RFC8332 RSA/SHA-256/512 signatures since release 7.2 and existing ssh-rsa keys will automatically use the stronger algorithm where possible"; it is also the version from Debian wheezy, which went out of security support three years ago. |
|
Steps To Reproduce |
|
|
Additional Information |
|
| Tags |
No tags attached. |
|
|
Attached Files |
|
|
|
Relationships 
