Security problem depending on your point of view with OpenSSH 2.5.1p1 related to Password authentication.

Hisashi T Fujinaka htodd at
Sat Mar 3 08:50:22 EST 2001

We're seeing the same problem on redhat systems with 2.5.1p2. Looks like
the code for both protocols is checking the same flag, but ssh2 is
ignoring it.

Anyone have a patch?

On Fri, 2 Mar 2001, William Hahn wrote:

> I compiled 2.5.1p1 on solaris and linux with PAM support and produced the same problem.
> If I set sshd_config to not allow password authentication( PasswordAuthentication no ) and restart sshd.
> I then ssh in with password authentication in ssh protocol version 2.
> If I try to ssh in with protocol 1 with I get  Permission denied. which is what I would expect.

Hisashi T Fujinaka - htodd at
BSEE (6/86) + BSChem (3/95) + BAEnglish (8/95) + $2.50 = mocha latte

More information about the openssh-unix-dev mailing list