Security problem depending on your point of view with OpenSSH 2.5.1p1 related to Password authentication.
Hisashi T Fujinaka
htodd at twofifty.com
Sat Mar 3 08:50:22 EST 2001
We're seeing the same problem on redhat systems with 2.5.1p2. Looks like
the code for both protocols is checking the same flag, but ssh2 is
ignoring it.
Anyone have a patch?
On Fri, 2 Mar 2001, William Hahn wrote:
> I compiled 2.5.1p1 on solaris and linux with PAM support and produced the same problem.
>
> If I set sshd_config to not allow password authentication( PasswordAuthentication no ) and restart sshd.
>
> I then ssh in with password authentication in ssh protocol version 2.
...
> If I try to ssh in with protocol 1 with I get Permission denied. which is what I would expect.
--
Hisashi T Fujinaka - htodd at twofifty.com
BSEE (6/86) + BSChem (3/95) + BAEnglish (8/95) + $2.50 = mocha latte
More information about the openssh-unix-dev
mailing list