[Security Announce] MDKSA-2002:040 - openssh update (fwd)

Eric Eisenhart eric at eisenhart.com
Wed Jun 26 12:09:12 PDT 2002

And finally the real details of the OpenSSH bug come out...

Edit /etc/ssh/sshd_config and make sure you have
"ChallengeResponseAuthentication no" set (uncommented) and you're protected
from this specific bug.  

A lot of Linux distributions already have this defaulted to off or don't
even have the functionality compiled in.  

It's used to enable things like s/key authentication, which is pretty
unusual to have turned on.  (it requires a small piece of hardware that the
user has to have with them to be able to log in; I've only encountered this
being used once and that was for servers on a really large financial
institution)  If "ssh -v localhost" has a "debug1: authentications that can
continue:" line that doesn't include "keyboard-interactive", you're
definitely doing fine.  (but I think you still might be okay with
keyboard-interactive showing; it's also used for some PAM stuff other than
Eric Eisenhart                                  eric-dot-sig at eisenhart.com
Perl, SQL, Linux and Web            ^           IRC: Freiheit at openprojects
Coder, Sysadmin and geek           /e\                AIM: falsch freiheit
http://eric.eisenhart.com/         ---                       ICQ: 48217244

More information about the talk mailing list