Subject: Re: OpenSSH Priv Sep and Remote Exploit?
To: None <firstname.lastname@example.org>
From: Jarle Greipsland <email@example.com>
Date: 06/26/2002 20:37:18
Jason R Thorpe <firstname.lastname@example.org> writes:
> It's completely absurd that the OpenSSH people recommended blind upgrades
> to a PrivSep version of OpenSSH, rather than just suggesting to people that
> they disable ChallengeResponseAuthentication.
Bus is it sufficient to disable ChallengeResponseAuthentication
in the configuration file? Or does one also have to disable the
feature(s) when compiling the sshd program?