Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I could be wrong, but if you are using public/private keys to authenticate to ssh, then even attacks that can listen in on the connection would be limited. Because the private key is never transmitted, unlike a password.


With heartbleed, a bug in the implementation of the protocol led to the server randomly leaking contents of the server’s memory, which could be anything from private keys to user or system passwords to other confidential information. No passwords or MitM was required. You can read more at heartbleed.com


And it still doesn't matter, because sshd literally never has the private key that allows access. If a server only allows access via SSH key, you could literally have a complete RAM dump of the whole system and not be able to access it.


> still doesn't matter (...) you could literally have a complete RAM dump of the whole system and not be able to access it.

I'd say that matters. Think about all the secrets (tls keys, whatever) a server has in memory.

If you can't connect to the sshd daemon, you can't attack it.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: