Subject: Re: OpenSSH Priv Sep and Remote Exploit?
To: None <thorpej@wasabisystems.com>
From: Jarle Greipsland <jarle@uninett.no>
List: tech-security
Date: 06/26/2002 20:37:18
Jason R Thorpe <thorpej@wasabisystems.com> writes:
> It's completely absurd that the OpenSSH people recommended blind upgrades
> to a PrivSep version of OpenSSH, rather than just suggesting to people that
> they disable ChallengeResponseAuthentication.

Bus is it sufficient to disable ChallengeResponseAuthentication
in the configuration file?  Or does one also have to disable the
feature(s) when compiling the sshd program?

					-jarle