[CentOS] OpenBSD rows. Is Centos affected?

Wed Dec 15 12:45:18 UTC 2010
Nico Kadel-Garcia <nkadel at gmail.com>

On Wed, Dec 15, 2010 at 1:46 AM, John R Pierce <pierce at hogranch.com> wrote:
> On 12/14/10 10:30 PM, Fajar Priyanto wrote:
>> http://marc.info/?l=openbsd-tech&m=129236621626462&w=2
>>
>> Is CentOS affected?
>
>
> its not clear yet if even OpenBSD is effected.   be pretty hard to
> imagine any such back door remaining in 10 year old code thats subject
> to such rigorous security audits as OpenBSD
>
> there's a lot that doesnt' jive.   like, the encryption coding was all
> done outside the USA so the encryption export laws in effect at the time
> had no impact.

As someone contributing patches to the original SSH software and later
OpenSSH patches at the time, I've got to say "no, it wasn't". Patches
were accepted from anywhere. Carefully code reviewed, and many patches
rejected, but indeed accepted. My favorite rejected patch was the
"stop doing reverse DNS lookups, dang it!" patch. The only graceful
way to entirely turn it off is to set the SSH daemon to record a
maximum hostname length of zero, which is a very strange way to simply
disable that behavior. (It causes serious connection lag in networks
where you're unlikely to be able to get reliable reverse DNS, which is
far too common a setup issue.)

Patches aren't necessarily considered encryption.