Subject: Re: OpenSSH Priv Sep and Remote Exploit?
To: Jason R Thorpe <>
From: David Maxwell <>
List: tech-pkg
Date: 06/26/2002 16:07:05
On Wed, Jun 26, 2002 at 11:42:59AM -0700, Jason R Thorpe wrote:
> On Wed, Jun 26, 2002 at 08:37:18PM +0200, Jarle Greipsland wrote:
>  > Bus is it sufficient to disable ChallengeResponseAuthentication
>  > in the configuration file?  Or does one also have to disable the
>  > feature(s) when compiling the sshd program?
> As I understand the bug, it only happens when you get responses to
> challenges, meaning the server would first have to issue the challenges,
> meaning disabling the issuing of such challenges would be sufficient
> to protect you.
> Please correct me if I am wrong.

You are NOT mistaken.

Disabling ChallengeResponseAuthentication is a valid work around, and
obviously a better short term action than updating to PrivSep if you
have many machines and don't need s/key support.

Updating to 3.4 is a good idea when possible, since turning the feature
off is no guarantee against accidentally enabling it again later.

David Maxwell,| --> Although some of you out
there might find a microwave oven controlled by a Unix system an attractive
idea, controlling a microwave oven is easily accomplished with the smallest
of microcontrollers. - Russ Hersch - (Microcontroller primer and FAQ)