itojun@iijlab.net wrote:
> 	i recommend you to read section 6 (release process) of
> 	http://openssh.com/txt/preauth.adv

That text doesn't explain anything, it merely comments of what they
did.  b) & c) would only hold if ChallengeResponseAuthentication
would be critical functionality most sites _need_ to have switched
on.  Were it critical functionality, I'd understand that the
workaround couldn't have been published. However, S/Key authentication
is far to critical functionality - only small fraction of sites
actually depend on it.

I still don't understand why the openssh team handled the issue
the way they did. Why they suggested to close ssh ports on firewalls,
implement privsep and take whole bunch of disaster-protection steps,
when 'ChallengeResponse no' fixes the issue completely, and could
be used by majority of sites?

I must be missing something obvious.

Jaromir

P.S kre: according to section 2. Impact of the above mentioned document,
    every SSH with 'ChallengeResponseAuthentication on' was vulnerable. Quote:
"""
	This bug can be exploited remotely if ChallengeResponseAuthentication
	is enabled in sshd_config.  This option is enabled
	by default on OpenBSD and other systems.
"""
-- 
Jaromir Dolecek <jdolecek@NetBSD.org> http://www.NetBSD.org/Ports/i386/ps2.html
-=- We should be mindful of the potential goal, but as the tantric    -=-
-=- Buddhist masters say, ``You may notice during meditation that you -=-
-=- sometimes levitate or glow.   Do not let this distract you.''     -=-