[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

OpenSSH vulnerability -- disable ChallengeResponseAuthentication



Hello all!

I just saw a post on Bugtraq from ISS X-Force about the OpenSSH vulnerability. 
Here is an interesting excerpt:

-----

ISS X-Force recommends that system administrators disable unused OpenSSH
authentication mechanisms. Administrators can remove this vulnerability
by disabling the Challenge-Response authentication parameter within the
OpenSSH daemon configuration file. This filename and path is typically:
/etc/ssh/sshd_config. To disable this parameter, locate the
corresponding line and change it to the line below:


ChallengeResponseAuthentication no


The "sshd" process must be restarted for this change to take effect.
This workaround will permanently remove the vulnerability. X-Force
recommends that administrators upgrade to OpenSSH version 3.4
immediately. This version implements privilege separation, contains a
patch to block this vulnerability, and contains many additional pro-
active security fixes. Privilege separation was designed to limit
exposure to known and unknown vulnerabilities. Visit
http://www.openssh.com for more information.

-----

It sounds like ChallengeResponseAuthentication is an option to allow S/Key, or 
OPIE authentication, and is enabled by default on most OpenSSH installations. 
If this prevents the remote exploit, it sounds like an easier solution than 
using the privilege separation method.

Perhaps disabling this is a workaround until version 3.4 is released (it does 
not appear to be released yet).

Does anyone else know more about this?

Thanks!

Brandon





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]