Sun statement on the OpenSSH Remote Challenge Vulnerability

From: Darren J Moffat (Darren.Moffat@Sun.COM)
Date: 06/28/02

Date: Fri, 28 Jun 2002 14:12:47 -0700
From: Darren J Moffat <Darren.Moffat@Sun.COM>

An official Security bulletin with be released very soon but the
following is an interim statement since we have received a number of

The version of OpenSSH that is in Solaris 9 is not beleived to be
vulnerable if the default configuration is used. If sshd_config(4)
has been updated so that BOTH of the following entries are present
then it is vulnerable.

        PAMAuthenticationViaKBDInt yes
        KbdInteractiveAuthentication yes

Note that in the default sshd_config(4) PAMAuthenticationViaKBDInt is
listed but KbdInteractiveAuthentication is not (the compiled in default
for KbdInteractiveAuthentication is no).

Sun is in the process of producing a patch for Solaris 9. Older Solaris
releases are not vulernable since they do not include OpenSSH as part of
the Solaris distribution - hosts that added OpenSSH as part of their own
site configurations should check the official OpenSSH advisory for details.

The patch that Sun produces to fix this issue will not contain the new
OpenSSH Privsep support as it is not yet stable enough on Solaris due to
interactions with PAM and BSM auditing, this may appear in a future
release - Sun is working with the OpenSSH devlopers on the PAM problems
and once a working OpenSSH with PAM and BSM is available we will
re-evaluate our position on Privsep.

Darren J Moffat

Relevant Pages

  • Re: SSH +PAM on Solaris 8
    ... >Has anyone else had problems with OpenSSH 3.7.1p2 with PAM ... >After attempting to install openssh on Solaris using gcc and binutils ... >even attempt the security module I use. ... Note that you have to both "enable pam" in sshd_config, ...
  • Re: solaris password aging problem
    ... > Is password aging supported with openssh using pam on solaris? ... > concerned that I will not be able to add cron entries because I'm using ...
  • Re: OpenSSH Password Aging/Expiration on UW2.1.3
    ... Try using gcc compiler. ... >difficulties with UnixWare and not Solaris. ... >> Look at the thread 'OpenSSH and forced password change' ... >>> When user bob attempts to login, ...
  • Re: Openssh, kerberos and Solaris 10
    ... if the problem is the Solaris 10 sshd is not saving ... other is used by pam :-( The man pages are not consistent ... rather live with this then to have to build OpenSSH and MIT Kerberos ... Solaris 10's sshd uses PAM, ...
  • Re: Solaris 9 SSH: HostbasedAuthentication?
    ... > If Sun have cut it out, ... It wasn't cut out it just wasn't in the release of OpenSSH that we ... Due to the way that development works for Solaris it ... The lack of host based authentication and some other missing features ...