While SSH is not affected directly by the heartbleed bug, if you have a server that was affected by the heartbleed bug there is some risk that the SSH private key may have been exposed. I would consider any private data (ssh keys, database passwords, cloud API credentials, etc) on a machine that was vulnerable to heartbleed as potentially exposed. If you're replacing the SSL certificate on a machine you should probably replace all those other things as well.
-David On Tue, May 13, 2014 at 4:06 PM, Robert Hajime Lanning <[email protected]>wrote: > SSH is not affected by the Heartbleed bug. > > Heartblead is a vulnerability in the implementation of SSL/TLS protocol, > not the actual encryption. > > SSH is it's own protocol. The only OpenSSL calls are for libcrypt.so, not > libssl.so. > > There is no such thing as an SSL Heartbeat in SSH. > > > On 05/13/14 12:57, Mathew Snyder wrote: > >> SSH.com states that SSH is _not_ affected by the bug. I haven't found >> anything regarding openSSH, though. >> >> We are currently in a discussion as to whether or not we should be >> updating the host keys across our entire enterprise. If SSH doesn't use >> TLS, which the bug affects, is it necessary to replace the host keys? >> > > -- > Mr. Flibble > King of the Potato People > http://www.linkedin.com/in/RobertLanning > _______________________________________________ > Tech mailing list > [email protected] > https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech > This list provided by the League of Professional System Administrators > http://lopsa.org/ >
_______________________________________________ Tech mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
