On Wed, Dec 15, 2010 at 1:46 AM, John R Pierce <pierce@xxxxxxxxxxxx> wrote: > On 12/14/10 10:30 PM, Fajar Priyanto wrote: >> http://marc.info/?l=openbsd-tech&m=129236621626462&w=2 >> >> Is CentOS affected? > > > its not clear yet if even OpenBSD is effected. be pretty hard to > imagine any such back door remaining in 10 year old code thats subject > to such rigorous security audits as OpenBSD > > there's a lot that doesnt' jive. like, the encryption coding was all > done outside the USA so the encryption export laws in effect at the time > had no impact. As someone contributing patches to the original SSH software and later OpenSSH patches at the time, I've got to say "no, it wasn't". Patches were accepted from anywhere. Carefully code reviewed, and many patches rejected, but indeed accepted. My favorite rejected patch was the "stop doing reverse DNS lookups, dang it!" patch. The only graceful way to entirely turn it off is to set the SSH daemon to record a maximum hostname length of zero, which is a very strange way to simply disable that behavior. (It causes serious connection lag in networks where you're unlikely to be able to get reliable reverse DNS, which is far too common a setup issue.) Patches aren't necessarily considered encryption. _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos