Question regarding the recent OpenSSH security vulnerabilities.

From: Akop Pogosian (
Date: 06/27/02

From: Akop Pogosian <>
Date: Wed, 26 Jun 2002 22:28:05 +0000 (UTC)

Today's ISS Advisory about OpenSSH Remote Challenge Vulnerability they
say at some point:

"OpenSSH supports the SKEY and BSD_AUTH authentication options. These
are compile-time options. At least one of these options must be
enabled before the OpenSSH binaries are compiled for the vulnerable
condition to be present."

Since neither BSD_AUTH nor SKEY options are enabled by default when
compiling openssh-3.1p1 on Solaris and possibly other operating
systems, it seems to me that the default install of openssh-3.1p1 on
non-*BSD operating system is not vulnerable to this problem. Am I
correct here? I also downloaded and checked the openssh SRPM for
RedHat Linux 7.2 and it does not seem to enable those options either.

Akop Pogosian

This space has been accidentally left blank.

Relevant Pages