[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: OpenSSH vulnerability

From: Rick Stevens <rstevens vitalstream com>
To: redhat-install-list redhat com
Subject: Re: OpenSSH vulnerability
Date: Fri, 28 Jun 2002 10:28:48 -0700

Bob McClure Jr wrote:

On Thu, Jun 27, 2002 at 02:03:40PM -0400, bkortiak macsteelusa com wrote:

Not near a RH computer at the moment.  The advisory at
http://www.openssh.com/txt/preauth.adv
<http://www.openssh.com/txt/preauth.adv>  got me wondering what version of
SSH is used by RH?

RH7.2 uses openssh 3.1.  The notice I got indicated that you could
turn off the vulnerability by changing /etc/ssh/sshd_config.  The
stock file has

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

which is the default (and vulnerable) behavior.  All you need to do is
add the line

ChallengeResponseAuthentication no

and restart sshd.

Or you can upgrade to openssh v3.4.


I HIGHLY recommending upgrading to 3.4.  There are some other things it
fixes.
----------------------------------------------------------------------
- Rick Stevens, Senior Systems Engineer     rstevens vitalstream com -
- VitalStream, Inc.                       http://www.vitalstream.com -
-                                                                    -
-            "You think that's tough?  Try herding cats!"            -
----------------------------------------------------------------------

References:
- OpenSSH vulnerability
  - From: bkortiak
- Re: OpenSSH vulnerability
  - From: Bob McClure Jr

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]