SSL and SSH
JD Runyan
Jason.Runyan at nitckc.usda.gov
Thu Mar 21 20:56:57 CST 2002
In no way should that email be considered an endorsement of static linking
OpenSSH, but there are good rationals for static linking some applications.
The /bin/sh on your system should be a statically linked version of bash for
security purposes is one example.
On Mar 21 13:20, Brian Densmore wrote:
> Static linking is generally a very bad thing. Think about all those
> applications out there that are static linked to zlib 1.1.3. They all
> now have to be recompiled with zlib 1.1.4 to fix the "double free" root
> exploit. Anyone figured out how to use it yet? Please don't post it, if
> you have. I am just wondering. I haven't figured out a way to exploit
> from an external machine. I could write a program to do it, but then the
> problem is to get it on to a box and then execute it. I'm not sure how
> you would do it without putting your own trojan on the box first. So you
> would have to have an exploit to exploit the exploit!? That new PHP
> exploit actually sounds rather bad though.
>
> Brian
>
> > -----Original Message-----
> > From: JD Runyan [mailto:Jason.Runyan at nitckc.usda.gov]
> > Sent: Thursday, March 21, 2002 11:41 AM
> > To: KCLUG (E-mail)
> > Subject: Re: SSL and SSH
> >
> >
> > You can compile it with static linking of the ssl libraries,
> > but I think you
> > would have to use another machine to generate keys.
> > On Mar 21 11:13, Brian Densmore wrote:
--
Jason D. Runyan
Mid-Range Systems Administrator
USDA NITC Kansas City
More information about the Kclug
mailing list