Subject: Re: OpenSSH Priv Sep and Remote Exploit?
To: Jason R Thorpe <thorpej@wasabisystems.com>
From: Steven M. Bellovin <smb@research.att.com>
List: tech-pkg
Date: 06/26/2002 14:11:15
In message <20020626093857.X1614@dr-evil.shagadelic.org>, Jason R Thorpe writes
:
>On Wed, Jun 26, 2002 at 08:44:54AM -0400, Mark E. Perkins wrote:
>
> > 2) In the interim, is it sufficient to enable UsePrivilegeSeparation (in
> > .../sshd_config) for 3.2.3p1, add the sshd user (which required creating
> > /var/empty)? Based on earlier comments in this thread, this seems to be
> > enough (I see an sshd-user-owned sshd when I connect with ssh).
>
>You can also set ChallengeResponseAuthentication to no (I would make
>sure SkeyAuthentication is also no) in the mean time.
>
I'm confused again. sshd_config in 1.6beta3 has this:
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
which implies that they're the same option. Or is it different on
other versions? I checked 3.1 and 3.3.1.
--Steve Bellovin, http://www.research.att.com/~smb (me)
http://www.wilyhacker.com ("Firewalls" book)