Subject: Re: OpenSSH Priv Sep and Remote Exploit?
To: Mark E. Perkins <>
From: Jason R Thorpe <>
List: tech-pkg
Date: 06/26/2002 09:38:57
On Wed, Jun 26, 2002 at 08:44:54AM -0400, Mark E. Perkins wrote:

 > 2) In the interim, is it sufficient to enable UsePrivilegeSeparation (in
 > .../sshd_config) for 3.2.3p1, add the sshd user (which required creating
 > /var/empty)? Based on earlier comments in this thread, this seems to be
 > enough (I see an sshd-user-owned sshd when I connect with ssh).

You can also set ChallengeResponseAuthentication to no (I would make
sure SkeyAuthentication is also no) in the mean time.

It's completely absurd that the OpenSSH people recommended blind upgrades
to a PrivSep version of OpenSSH, rather than just suggesting to people that
they disable ChallengeResponseAuthentication.  I guess they're not so "Open"
after all.

        -- Jason R. Thorpe <>