On Tue, Apr 8, 2014 at 2:08 PM, Keith Keller
<kkeller@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
> On 2014-04-08, Robert Arkiletian <robark@xxxxxxxxx> wrote:
>>
>> if you include libcrypto in the grep then sshd is affected.
>
> That's unfortunate. :( Is the bug in libssl, libcrypto, or both?
>
> Since sshd is in doubt, I would like to force my users to change their
> password, which is stored on a central openldap server. What's the
> canonical CentOS way to do this? I've done some web searches for some
> answers, but haven't found anything really definitive, just some
> workarounds and some crude hacks.
>
I'm not positive but from reading other forums it seems sshd is *not* affected.
http://security.stackexchange.com/questions/55076/what-should-a-website-operator-do-about-the-heartbleed-openssl-exploit
----snip---
It's worth pointing out that OpenSSH is not affected by the OpenSSL
bug. While OpenSSH does use openssl for some key-generation functions,
it does not use the TLS protocol (and in particular the TLS heartbeat
extension that heartbleed attacks). So there is no need to worry about
SSH being compromised, though it is still a good idea to update
openssl to 1.0.1g or 1.0.2-beta2 (but you don't have to worry about
replacing SSH keypairs).
----snip----
Can someone confirm the above to be true.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
