Subject: Re: rfc2228 in ftpd
To: Robert Elz <kre@munnari.OZ.AU>
From: Seth Kurtzberg <>
List: tech-security
Date: 07/01/2002 10:19:14

Unless I misunderstand what is going on, a system is vulnerable if the 
feature is enabled for sshd, and  whether or not normal users (that is, not 
the hackers) are using the feature is irrelevant.  As has been noted, it can 
be turned off in the configuration file, and it can also be disabled at the 
time of compilation.  Many have suggested the obvious course of action:  
disable the feature in the sshd.conf file immediately (not forgetting, of 
course, to restart sshd), and turn the feature off in future builds.

On Monday 01 July 2002 01:53 am, Robert Elz wrote:
>     Date:        Mon, 01 Jul 2002 15:29:29 +0900
>     From:
>     Message-ID:  <>
>   | 	i guess the problem is not how many users are using s/key, but how
>   | many of installed systems that has it turned on (most of the openssh
>   | installation shipped with it turned on).
> From what I read, I thought the problem occurred only when a response to
> a s/key prompt was received, is that correct?
> If so, surely that can only happen on systems where s/key is actually used,
> regardless of whether or not the openssh code installed had the potential
> to use it or not.
> If that's all correct, then at the worst this moves the problem from being
> a remote exploit to a local one for most sites, as someone would have to
> enable s/key first, locally, before being able to attack.
> kre

Seth Kurtzberg
MIS Corp.
Office:  (480) 661-1849
Fax: (480) 614-8909
pager:  888-605-9296 or email