On Tue, 13 May 2014, Skylar Thompson wrote:
On 05/13/2014 01:29 PM, Brandon Allbery wrote:
On Tue, May 13, 2014 at 4:21 PM, David Nolan
<no...@managedandmonitored.net <mailto:no...@managedandmonitored.net>>
wrote:
While SSH is not affected directly by the heartbleed bug, if you
have a server that was affected by the heartbleed bug there is some
risk that the SSH private key may have been exposed.
This requires that you somehow got the ssh private key into the memory
of an SSL-using process. I would argue that if that was possible, you
already had a pretty significant security hole.
The only possibility I can think of is if you're using HTTPS as a way of
distributing SSH private keys. I've never heard of anyone doing such a
thing, but I suppose someone's probably tried it.
I'm sure that there are config management tools out there that use SSL/TLS for
their communications
the other possibility would be if someone could have learned enough from a
webserver to login to your system (someone using the same password for a web
page as for ssh access where you allow password authentication for ssh as an
example)
David Lang
_______________________________________________
Tech mailing list
Tech@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech
This list provided by the League of Professional System Administrators
http://lopsa.org/
