Security problem depending on your point of view with OpenSSH 2.5.1p1 related to Password authentication.

Kevin Steves stevesk at sweden.hp.com
Sat Mar 3 23:58:39 EST 2001


i can't duplicate this on hp-ux+pam, or redhat+pam.  can you provide
sshd -ddd output?

On Fri, 2 Mar 2001, Hisashi T Fujinaka wrote:
: We're seeing the same problem on redhat systems with 2.5.1p2. Looks like
: the code for both protocols is checking the same flag, but ssh2 is
: ignoring it.
:
: Anyone have a patch?
:
: On Fri, 2 Mar 2001, William Hahn wrote:
:
: > I compiled 2.5.1p1 on solaris and linux with PAM support and produced the same problem.
: >
: > If I set sshd_config to not allow password authentication( PasswordAuthentication no ) and restart sshd.
: >
: > I then ssh in with password authentication in ssh protocol version 2.
: ...
: > If I try to ssh in with protocol 1 with I get  Permission denied. which is what I would expect.
:
: --
: Hisashi T Fujinaka - htodd at twofifty.com
: BSEE (6/86) + BSChem (3/95) + BAEnglish (8/95) + $2.50 = mocha latte






More information about the openssh-unix-dev mailing list