search

droberson / ssh-honeypot

Fake sshd that logs ip addresses, usernames, and passwords.
MIT License
620 stars 240 forks source link

CVE-2018-10933 #4

Closed s0i37 closed 6 years ago

s0i37 commented 6 years ago

I noticed that ssh-honepot use libssh. Is it secure?

droberson commented 6 years ago

Yes, this project uses libssh.

I do not believe this is vulnerable to CVE-2018-10933. Clients don't authenticate to this in the traditional sense, and ssh channels aren't opened with this software. It merely logs the usernames/passwords tried. People using this can recompile it after patching libssh for this vulnerability; it is statically linked by default.

As for your question "Is it secure?"; who knows? Like all software, there are probably some bugs present. If there are, I don't know about them. As with all of my projects, bug reports and PRs are welcome.