[Security Announce] MDKSA-2002:040 - openssh update (fwd)
eric at eisenhart.com
Wed Jun 26 12:09:12 PDT 2002
And finally the real details of the OpenSSH bug come out...
Edit /etc/ssh/sshd_config and make sure you have
"ChallengeResponseAuthentication no" set (uncommented) and you're protected
from this specific bug.
A lot of Linux distributions already have this defaulted to off or don't
even have the functionality compiled in.
It's used to enable things like s/key authentication, which is pretty
unusual to have turned on. (it requires a small piece of hardware that the
user has to have with them to be able to log in; I've only encountered this
being used once and that was for servers on a really large financial
institution) If "ssh -v localhost" has a "debug1: authentications that can
continue:" line that doesn't include "keyboard-interactive", you're
definitely doing fine. (but I think you still might be okay with
keyboard-interactive showing; it's also used for some PAM stuff other than
Eric Eisenhart eric-dot-sig at eisenhart.com
Perl, SQL, Linux and Web ^ IRC: Freiheit at openprojects
Coder, Sysadmin and geek /e\ AIM: falsch freiheit
http://eric.eisenhart.com/ --- ICQ: 48217244
More information about the talk