[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: OpenSSH vulnerability

From: Bob McClure Jr <robertmcclure earthlink net>
To: redhat-install-list redhat com
Subject: Re: OpenSSH vulnerability
Date: Thu, 27 Jun 2002 17:19:09 -0500

On Thu, Jun 27, 2002 at 02:03:40PM -0400, bkortiak macsteelusa com wrote:
> Not near a RH computer at the moment.  The advisory at
> http://www.openssh.com/txt/preauth.adv
> <http://www.openssh.com/txt/preauth.adv>  got me wondering what version of
> SSH is used by RH?

RH7.2 uses openssh 3.1.  The notice I got indicated that you could
turn off the vulnerability by changing /etc/ssh/sshd_config.  The
stock file has

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

which is the default (and vulnerable) behavior.  All you need to do is
add the line

 ChallengeResponseAuthentication no

and restart sshd.

Or you can upgrade to openssh v3.4.

> --
> Boris Kortiak
> Sr. Programmer Analyst
> MacsteelUSA
> +1 (215) 245-3253

Cheers,
-- 
Bob McClure, Jr.            | Talk is cheap because
Bobcat Open Systems, Inc.   | supply always exceeds demand.
robertmcclure earthlink net |

Follow-Ups:
- Re: OpenSSH vulnerability
  - From: Rick Stevens

References:
- OpenSSH vulnerability
  - From: bkortiak

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]