Re: Upcoming OpenSSH vulnerability

From: steve s. (nobody@nowhere.com)
Date: 06/27/02


From: nobody@nowhere.com (steve s.)
Date: Wed, 26 Jun 2002 22:20:29 -0000

if you read man sshd (3.1 for me), it says the default ChallengeResponseAuth
-entication is 'yes', so it sounds like you need to disable it. I don't
know about the compile-time options, I didn't specify them for my systems.
Putting this line into sshd_config doesn't seem to break them.

On 26 Jun 2002 17:22:11 GMT, Mike Iglesias <iglesias@draco.acs.uci.edu> wrote:
>In article <3D19E9B9.4060805@rlhc.net>,
>Richard Houston <rhouston@rlhc.net> wrote:
>>http://www.openssh.org/txt/preauth.adv
>>
>>On the above link, the short term solution is to disable Challenge
>>response Authentication in sshd_conf.
>>Does anyone know what the implication of disabling this is?
>
>>From the note that went out to bugtraq from ISS this morning, it appears
>that this bug is only a problem when OpenSSH is compiled with BSD_AUTH
>or SKEY defined. Both of those are defined only if requested when
>configure is run, from what I can tell. And ChallengeResponseAuthentication
>defaults to "no".
>
>So, unless I misread the note somewhere, this bug doesn't affect you
>unless you configure with "--with-bsd-auth" and/or "--with-skey", and
>you have "ChallengeResponseAuthentication yes" in sshd_conf. And it's not
>a problem if you have "UsePrivilegeSeparation yes" in sshd_conf, regardless
>of the other settings above.
>
>There is a note in the Changelog for v3.4p1 that says some other overflows
>were fixed in the code, so moving to 3.4 may be a good idea. Since it
>was kind of rushed out, there may be other issues that will cause problems
>down the road.
>
>
>--
>Mike Iglesias Internet: iglesias@draco.acs.uci.edu
>University of California, Irvine phone: 949-824-6926
>Network & Academic Computing Services FAX: 949-824-2069

-- 
Steve S.

steve @ NOSPAM sorry i'm tired of spam remove spaces, NOSPAM and you'll see there is no email address attached :( !



Relevant Pages

  • Re: Upcoming OpenSSH vulnerability
    ... if you read man sshd, it says the default ChallengeResponseAuth ... know about the compile-time options, I didn't specify them for my systems. ... >>Does anyone know what the implication of disabling this is? ... >that this bug is only a problem when OpenSSH is compiled with BSD_AUTH ...
    (comp.security.ssh)
  • Re: [BUG] 2.6.27-rc1 in ext3_find_entry
    ... disabling stream of BUGs in copy_page_c. ... So I'm now confident that this is triggered by suspend to ... Here's a truncated trace showing the suspend and the first BUG. ... Switched to high resolution mode on CPU 1 ...
    (Linux-Kernel)
  • Re: Solaris 10, kernel mem leak (related to NFS?)
    ... Tony, in your shoes I would be doing the following: ... - grab a system dump, either with a forced dump or ... >>time looking for ways around that bug. ... >>Try disabling caches and features with NFS client kernel tunables. ...
    (comp.unix.solaris)
  • Re: [PATCH] PM: suspend_device_irqs(): dont disable wakeup IRQs
    ... If this fixes some bug then please provide a description of that bug? ... What do you do if the interrupt triggers right after your driver has ... If it's a wakeup IRQ, I assume you want it to prevent suspend. ... We can either avoid disabling wake-up interrupts, ...
    (Linux-Kernel)
  • Re: Disabling one core of dual core?
    ... Is there a way to disable one core of a dual core ... The Intel proset wireless stuff has a bug that ... Disabling one processor has indeed stopped the wedged Intel Proset issue. ...
    (microsoft.public.windowsxp.help_and_support)