Subject: Re: OpenSSH Priv Sep and Remote Exploit?
To: Jason R Thorpe <email@example.com>
From: David Maxwell <firstname.lastname@example.org>
Date: 06/26/2002 16:07:05
On Wed, Jun 26, 2002 at 11:42:59AM -0700, Jason R Thorpe wrote:
> On Wed, Jun 26, 2002 at 08:37:18PM +0200, Jarle Greipsland wrote:
> > Bus is it sufficient to disable ChallengeResponseAuthentication
> > in the configuration file? Or does one also have to disable the
> > feature(s) when compiling the sshd program?
> As I understand the bug, it only happens when you get responses to
> challenges, meaning the server would first have to issue the challenges,
> meaning disabling the issuing of such challenges would be sufficient
> to protect you.
> Please correct me if I am wrong.
You are NOT mistaken.
Disabling ChallengeResponseAuthentication is a valid work around, and
obviously a better short term action than updating to PrivSep if you
have many machines and don't need s/key support.
Updating to 3.4 is a good idea when possible, since turning the feature
off is no guarantee against accidentally enabling it again later.
David Maxwell, email@example.comfirstname.lastname@example.org --> Although some of you out
there might find a microwave oven controlled by a Unix system an attractive
idea, controlling a microwave oven is easily accomplished with the smallest
of microcontrollers. - Russ Hersch - (Microcontroller primer and FAQ)