Question regarding the recent OpenSSH security vulnerabilities.

From: Akop Pogosian (akopps+usenet@ocf.berkeley.edu)
Date: 06/27/02


From: Akop Pogosian <akopps+usenet@ocf.berkeley.edu>
Date: Wed, 26 Jun 2002 22:28:05 +0000 (UTC)


Today's ISS Advisory about OpenSSH Remote Challenge Vulnerability they
say at some point:

"OpenSSH supports the SKEY and BSD_AUTH authentication options. These
are compile-time options. At least one of these options must be
enabled before the OpenSSH binaries are compiled for the vulnerable
condition to be present."

Since neither BSD_AUTH nor SKEY options are enabled by default when
compiling openssh-3.1p1 on Solaris and possibly other operating
systems, it seems to me that the default install of openssh-3.1p1 on
non-*BSD operating system is not vulnerable to this problem. Am I
correct here? I also downloaded and checked the openssh SRPM for
RedHat Linux 7.2 and it does not seem to enable those options either.

-- 
Akop Pogosian

This space has been accidentally left blank.



Relevant Pages