Subject: Re: OpenSSH Priv Sep and Remote Exploit?
To: Jason R Thorpe <>
From: Steven M. Bellovin <>
List: tech-security
Date: 06/26/2002 14:11:15
In message <>, Jason R Thorpe writes
>On Wed, Jun 26, 2002 at 08:44:54AM -0400, Mark E. Perkins wrote:
> > 2) In the interim, is it sufficient to enable UsePrivilegeSeparation (in
> > .../sshd_config) for 3.2.3p1, add the sshd user (which required creating
> > /var/empty)? Based on earlier comments in this thread, this seems to be
> > enough (I see an sshd-user-owned sshd when I connect with ssh).
>You can also set ChallengeResponseAuthentication to no (I would make
>sure SkeyAuthentication is also no) in the mean time.

I'm confused again.  sshd_config in 1.6beta3 has this:

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

which implies that they're the same option.  Or is it different on 
other versions?  I checked 3.1 and 3.3.1.

		--Steve Bellovin, (me) ("Firewalls" book)