OpenSSH Security Advisory (adv.iss)
Carson Gaspar
carson at taltos.org
Thu Jun 27 03:41:14 EST 2002
Use the Source, Luke:
{ "challengeresponseauthentication",
sChallengeResponseAuthentication },
{ "skeyauthentication", sChallengeResponseAuthentication }, /*
alias */
One must make sure that neither option is enabled.
{ "PAMAuthenticationViaKbdInt", sPAMAuthenticationViaKbdInt },
Is also suspect, based on the patch, although the advisory isn't sure if
it's exploitable or not.
--On Wednesday, June 26, 2002 4:42 PM +0200 Markus Friedl
<markus at openbsd.org> wrote:
> 2. Impact:
>
> This bug can be exploited remotely if
> ChallengeResponseAuthentication is enabled in sshd_config.
>
> Affected are at least systems supporting
> s/key over SSH protocol version 2 (OpenBSD, FreeBSD
> and NetBSD as well as other systems supporting
> s/key with SSH). Exploitablitly of systems
> using PAM in combination has not been verified.
>
> 3. Short-Term Solution:
>
> Disable ChallengeResponseAuthentication in sshd_config.
More information about the openssh-unix-dev
mailing list