Subject: Re: OpenSSH Priv Sep and Remote Exploit?
To: None <firstname.lastname@example.org>
From: Jarle Greipsland <email@example.com>
Date: 06/26/2002 22:37:33
David Maxwell <firstname.lastname@example.org> writes:
> Disabling ChallengeResponseAuthentication is a valid work around, and
> obviously a better short term action than updating to PrivSep if you
> have many machines and don't need s/key support.
Excellent! Since I am not that familiar with the openssh code
base, I just wanted to be sure that no unsolicited challenge
response sent to a SKEY-enabled server could trigger the
overflow. Given the revised announcement from the openssh folks
I guess this is not a problem.