Subject: Re: OpenSSH Priv Sep and Remote Exploit?
To: None <david@fundy.net>
From: Jarle Greipsland <jarle@uninett.no>
List: tech-security
Date: 06/26/2002 22:37:33
David Maxwell <david@fundy.net> writes:
> Disabling ChallengeResponseAuthentication is a valid work around, and
> obviously a better short term action than updating to PrivSep if you
> have many machines and don't need s/key support.

Excellent!  Since I am not that familiar with the openssh code
base, I just wanted to be sure that no unsolicited challenge
response sent to a SKEY-enabled server could trigger the
overflow.  Given the revised announcement from the openssh folks
I guess this is not a problem.
					-jarle