Viewing Issue Simple Details Jump to Notes ] Wiki ] View Advanced ] Issue History ] Print ]
ID Category Severity Reproducibility Date Submitted Last Update
0012656 [DCSS] Bug Report major sometimes 2021-10-08 13:34 2021-10-08 13:34
Reporter damerell View Status public  
Assigned To
Priority normal Resolution open  
Status new   Product Branch longterm development (0.31+)
Summary 0012656: CAO (and others?) has ancient ssh daemon, probably insecure.
Description https://www.openssh.com/releasenotes.html [^] - "This release disables RSA signatures using the SHA-1 hash algorithm by default."

On IRC I saw a report of the practical effects of this in the wild; a user unable to connect with a new OpenSSH to CAO.

The sshd on CAO reports itself as OpenSSH_6.0p1. If true, this is too old for "OpenSSH has supported RFC8332 RSA/SHA-256/512 signatures since release 7.2 and existing ssh-rsa keys will automatically use the stronger algorithm where possible"; it is also the version from Debian wheezy, which went out of security support three years ago.
Additional Information
Tags No tags attached.
Attached Files

- Relationships

There are no notes attached to this issue.

- Issue History
Date Modified Username Field Change
2021-10-08 13:34 damerell New Issue


Mantis 1.1.8[^]
Copyright © 2000 - 2009 Mantis Group
Powered by Mantis Bugtracker