From owner-freebsd-security Wed Jun 26 17:43:40 2002 Delivered-To: freebsd-security@freebsd.org Received: from ainaz.pair.com (ainaz.pair.com [209.68.2.66]) by hub.freebsd.org (Postfix) with SMTP id 982EB37C144 for ; Wed, 26 Jun 2002 16:33:54 -0700 (PDT) Received: (qmail 78291 invoked by uid 3338); 26 Jun 2002 23:33:53 -0000 Date: Wed, 26 Jun 2002 19:33:53 -0400 From: Travis Cole To: Maxim Kozin Cc: freebsd-security@FreeBSD.ORG Subject: Re: The "race" that Theo sought to avoid has begun (Was: OpenSSH Advisory) Message-ID: <20020626233353.GB77856@ainaz.pair.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.25i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Jun 27, 2002 at 12:50:41AM +0400, Maxim Kozin wrote: > > Ppl, before you are going crazy, think a little. > > Theo did you a favor when he released his letter. Why? Because now all of > > you are using privsep, which will hopefully help you if the another 100 > > exploits will be released/found in OpenSSH... > Not all, because privsep has trouble with some PAM modules, but > "ChallengeResponseAuthentication no" work. If we can know this in begin of > sshisteria ! Yes, but if we had known about that from day one, so would the guys who like to write exploits. There are some very smart people doing that and the second they saw "Just set ChallengeResponseAuthentication to no" that really makes it easier to figure out where the problem is. You immediately narrow their search from thousands of lines of code to only a few hundred. -- -tcole To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message