[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Alternative to openssl/openssh



Hi...

Are there any secure alternatives to openssl/openssh?
It is no fun to patch these stuff almost every day or week or better said
the last time too often!

There is LSH, but it has issues as well. I dont think that openssl and openssh are in a bad state (quality of code wise). IMHO the multiple vulnerabilities that have been discovered the last weeks, are the result of code reviews.

Its the nature of the beast, code will have bugs. Software will have security issues. Changing to another, less used and thus less reviewed software will not do much for you (e.g. LSH had a root exploit floating around, and since a few people changed over to it after the OpenSSH fiasco of the last weeks, expect another couple of vulns./exploits the next weeks). IMHO the better way is to focus on installing / configuring the software in a secure way, to make standard exploiting harder, saving you time (e.g chrooting, using things like lids or RSBAC). On "special" systems you might use security by obscurity (e.g. SSH port only opens up after connection requests to a certain number/sequence of ports), but creating these kind of things might impose new security threats.

Peace,
Tom


--
this is a maillist account, so please
send personal replies to tom[at-sign-here]wiretap[little-dot-here]de


--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here