Subject: Re: OpenSSH Priv Sep and Remote Exploit?
To: Jarle Greipsland <>
From: Jason R Thorpe <>
List: tech-security
Date: 06/26/2002 11:42:59
On Wed, Jun 26, 2002 at 08:37:18PM +0200, Jarle Greipsland wrote:

 > Bus is it sufficient to disable ChallengeResponseAuthentication
 > in the configuration file?  Or does one also have to disable the
 > feature(s) when compiling the sshd program?

As I understand the bug, it only happens when you get responses to
challenges, meaning the server would first have to issue the challenges,
meaning disabling the issuing of such challenges would be sufficient
to protect you.

Please correct me if I am wrong.

        -- Jason R. Thorpe <>