OpenSSH's UseLogin option allows remote access with root privilege.

Gregory Steuck greg at nest.cx
Sat Jun 10 01:30:05 EST 2000


>>>>> "Markus" == Markus Friedl <markus.friedl at informatik.uni-erlangen.de> writes:

    Markus> OpenSSH's UseLogin option allows remote access with root
    Markus> privilege.  1. Systems affected:

    Markus> 	The default installation of OpenSSH is not vulnerable,
    Markus> since UseLogin defaults to 'no'.  However, if UseLogin is
    Markus> enabled, all versions of OpenSSH prior to 2.1.1 are
    Markus> affected.

Could you clarify if the following lines from 
http://www.openbsd.org/plus.html are true than?

"Do not use the (non-default) UseLogin option in OpenSSH 2.1.*, it has a
hole on other operating systems and does not work right in OpenBSD."
                                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Is OpenBSD with "UseLogin yes" vulnerable or not (even though it's not
default)?

Bye
Greg





More information about the openssh-unix-dev mailing list