Re: CERT (Was: Re: NUTS! "Much ado about nothing" -- I need a clearer up or down)

From: D J Hawkey Jr (hawkeyd@visi.com)
Date: 06/27/02 

Date: Wed, 26 Jun 2002 21:49:57 -0500
From: D J Hawkey Jr <hawkeyd@visi.com>
To: Steve Ames <steve@energistic.com>

On Jun 26, at 09:29 PM, Steve Ames wrote:
>
> On Wed, Jun 26, 2002 at 09:00:55PM -0500, D J Hawkey Jr wrote:
> > On Jun 27, at 03:49 AM, Dag-Erling Smorgrav wrote:
> > >
> > > hawkeyd@visi.com (D J Hawkey Jr) writes:
> > > > Sorry to be so thick-headed, but between Mike and Jacques, the answer
> > > > to "Is 'OpenSSH_2.9 FreeBSD localisations 20020307' even vulnerable?"
> > > > is "That does appear to be the case.".
> > >
> > > 2.9 is not vulnerable to this particular attack.
> >
> > That's as simple as it gets. Thanks.
>
> That "particular attack"... yep. The CERT advisory seemed to indicate
> that earlier versions also have vulnerabilities? From 2.3.1p1 to 3.3...

See below for some observations. For brevity's sake, I've snipped irrelevant
text.

> -Steve
>
>
> CERT Advisory CA-2002-18 OpenSSH Vulnerabilities in Challenge Response
> Handling
>
> [SNIP]
>
> III. Solution
>
> [SNIP]
>
> Disable challenge response authentication
>
> For OpenSSH versions greater than 2.9, system administrators can
> disable the vulnerable portion of the code by setting the
> "ChallengeResponseAuthentication" configuration option to "no" in
> their sshd configuration file. Typically, this is accomplished by
> adding the following line to /etc/ssh/sshd_config:
>
> ChallengeResponseAuthentication no

This I did when I enabled SSH. Seems a mis-match on this between clients
and servers can go a little weird.

> Disable PAM authentication via interactive keyboard
>
> For OpenSSH versions greater than 2.9, system administrators can
> disable the vulnerable portion of the code affecting the PAM
> authentication issue by setting the "PAMAuthenticationViaKbdInt"
> configuration option to "no" in their sshd configuration file.
> Typically, this is accomplished by adding the following line to
> /etc/ssh/sshd_config:
>
> PAMAuthenticationViaKbdInt no

No such animal with the OpenSSH version in RELENG_4_5.

> Disable both options in older versions of OpenSSH
>
> For OpenSSH versions between 2.3.1p1 and 2.9, system adminstrators
> will instead need to set the following options in their ssh
> configuration file:
>
> KbdInteractiveAuthentication no
> ChallengeResponseAuthentication no

The first doesn't exist in the the OpenSSH version in RELENG_4_5.

Would I be naive - or stupid - in assuming that those features that aren't
even implemented cannot be vulnerable?

Dave 

-- 
  ______________________                         ______________________
  \__________________   \    D. J. HAWKEY JR.   /   __________________/
     \________________/\     hawkeyd@visi.com    /\________________/
                      http://www.visi.com/~hawkeyd/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages