Subject: Re: OpenSSH Priv Sep and Remote Exploit?
To: None <>
From: Jarle Greipsland <>
List: tech-pkg
Date: 06/26/2002 22:37:33
David Maxwell <> writes:
> Disabling ChallengeResponseAuthentication is a valid work around, and
> obviously a better short term action than updating to PrivSep if you
> have many machines and don't need s/key support.

Excellent!  Since I am not that familiar with the openssh code
base, I just wanted to be sure that no unsolicited challenge
response sent to a SKEY-enabled server could trigger the
overflow.  Given the revised announcement from the openssh folks
I guess this is not a problem.