Re: Upcoming OpenSSH vulnerability

From: Richard Houston (rhouston@rlhc.net)
Date: 06/26/02 

From: Richard Houston <rhouston@rlhc.net>
Date: Wed, 26 Jun 2002 16:19:56 GMT

http://www.openssh.org/txt/preauth.adv

On the above link, the short term solution is to disable Challenge
response Authentication in sshd_conf.
Does anyone know what the implication of disabling this is?

Thanks

Rich

John wrote:
>>I nuked it, went back to 3.2.3p1, and tightened up my
>>/etc/hosts.allow for ssh to just my machines, which is where
>>I'm staying until 3.4 comes out and I hear good reports about
>>it working predictably and reliably. I'd also like to know
>>what the damn vulnerability is that Theo warned everybody about
>>so imperitively. Right now I don't feel much different than a
>>windows admin waiting nervously for the next patch from M$ and
>>hoping they don't get hacked in the meanwhile. tcp_wrappers
>>should keep me safe until Monday, hopefully, but I thought one
>>of the strengths of open source was wide disclosure of bugs to
>>speed the fix.
>>
>>Ah well.
>
>
> I really think that Theo is doing open source another disservice.
> Isn't he the same guy who released the info about the Apache
> security hole without telling the Apache group and then came out
> with a non-working patch??
>
> I always thought the process was supposed to be - find a hole,
> notify vendor, give them X weeks to release a fix, if they don't
> release a fix THEN AND ONLY THEN do you release the details of
> the hole.
>
> Seems like he's panicking a lot of people for no apparent reason.
>
>

Relevant Pages

  • Re: Upcoming OpenSSH vulnerability
    ... > speed the fix. ... I really think that Theo is doing open source another disservice. ... security hole without telling the Apache group and then came out ... I always thought the process was supposed to be - find a hole, ...
    (comp.security.ssh)
  • Re: Upcoming OpenSSH vulnerability
    ... > speed the fix. ... I really think that Theo is doing open source another disservice. ... security hole without telling the Apache group and then came out ... I always thought the process was supposed to be - find a hole, ...
    (comp.security.ssh)
  • Re: Upcoming OpenSSH vulnerability
    ... Does anyone know what the implication of disabling this is? ... >>speed the fix. ... > security hole without telling the Apache group and then came out ...
    (comp.security.ssh)
  • Re: Messenger Spam Pop-Ups
    ... I agree; it's not a fix; if the only way to stop someone ... vital message service on my pc and/or adding a firewall, ... Microsoft have simply left a gaping hole in their ... >I dont think it is even a fix, it's merely disabling a ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Ethics Question
    ... up and says oh ya we were just about to fix that. ... > package login. ... The hole is still there. ... Do you Yahoo!? ...
    (Security-Basics)