hi Greg,
> > Actually any version of ssh 1.2 or less as well as openssh 1.21 or less..
>
> Indeed, but the really important thing to remember is that doing
> *anything* with a compromised server, let alone SSH'ing into it, is very
> risky business indeed.
Agreed you leave yourself wide open to all sorts of fun and games;-))
> If you have some automated job running "scp" or "ssh" and you don't have
> good strong intrusion detection facilities to protect the server (which
> would make it at least possible to stop the automated job before it
> allowed any propogation of the attack) then you're taking massive risks
> already.
Yes anytime you automate you are assuming that whatever you are
automating is shall we say not currently being exploited..
\>
> Any SSH server trusting a compromised client is in even worse shape, and
> if you agree with Bruce Schneier (or me! ;-) then you'll know there is
> no such thing as "trusted client software"! :-)
Hmmm.. i would agree with that as well.. actually any time you do anything
there is a degree of risk.. :-))
> --
> Greg A. Woods
