Subject: sshd at broke?
To: None <>
From: gabriel rosenkoetter <>
List: current-users
Date: 06/27/2002 11:50:47
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

First off, hope it's not got ChallengeResponseAuthentication set to
"yes" (note that you have to *force* this to no!):

grappa:dist/ssh# telnet 22
Connected to
Escape character is '^]'.
SSH-1.99-OpenSSH_3.0.2 NetBSD_Secure_Shell-20011206

That aside, I'd kind of like to do a cvs update, but:

grappa:dist/ssh# cat CVS/Root
grappa:dist/ssh# echo $CVS_RSH
grappa:dist/ssh# ssh -V
OpenSSH_3.2 NetBSD_Secure_Shell-20020422, SSH protocols 1.5/2.0, OpenSSL 0x=
grappa:dist/ssh# cvs update -dP
ssh_exchange_identification: Connection closed by remote host
cvs [update aborted]: end of file from server (consult above messages if an=

pserver works, but is obviously less desirable (especially for
things like src/crypto/dist/ssh, which is what I'm trying to update
in this example), since it's susceptible to mitm attacks.

What REALLY scares me about this is that I really doubt that
ChallengeResponseAuthentication is set to "no" on, since it is, to all appearances, an otherwise-
default install. If that's the case, then what assurance does the
public have that these sources haven't been tampered with?

gabriel rosenkoetter

Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.0.7 (NetBSD)