Re: Upcoming OpenSSH vulnerability

From: Richard Houston (rhouston@rlhc.net)
Date: 06/26/02


From: Richard Houston <rhouston@rlhc.net>
Date: Wed, 26 Jun 2002 16:19:56 GMT

http://www.openssh.org/txt/preauth.adv

On the above link, the short term solution is to disable Challenge
response Authentication in sshd_conf.
Does anyone know what the implication of disabling this is?

Thanks

Rich

John wrote:
>>I nuked it, went back to 3.2.3p1, and tightened up my
>>/etc/hosts.allow for ssh to just my machines, which is where
>>I'm staying until 3.4 comes out and I hear good reports about
>>it working predictably and reliably. I'd also like to know
>>what the damn vulnerability is that Theo warned everybody about
>>so imperitively. Right now I don't feel much different than a
>>windows admin waiting nervously for the next patch from M$ and
>>hoping they don't get hacked in the meanwhile. tcp_wrappers
>>should keep me safe until Monday, hopefully, but I thought one
>>of the strengths of open source was wide disclosure of bugs to
>>speed the fix.
>>
>>Ah well.
>
>
> I really think that Theo is doing open source another disservice.
> Isn't he the same guy who released the info about the Apache
> security hole without telling the Apache group and then came out
> with a non-working patch??
>
> I always thought the process was supposed to be - find a hole,
> notify vendor, give them X weeks to release a fix, if they don't
> release a fix THEN AND ONLY THEN do you release the details of
> the hole.
>
> Seems like he's panicking a lot of people for no apparent reason.
>
>