From owner-freebsd-security Wed Jun 26 17:48:59 2002 Delivered-To: freebsd-security@freebsd.org Received: from spork.pantherdragon.org (spork.pantherdragon.org [206.29.168.146]) by hub.freebsd.org (Postfix) with ESMTP id 7BB1537C18F for ; Wed, 26 Jun 2002 16:35:40 -0700 (PDT) Received: from spark.techno.pagans (spark.techno.pagans [4.61.202.145]) by spork.pantherdragon.org (Postfix) with ESMTP id 97071471DA for ; Wed, 26 Jun 2002 14:34:08 -0700 (PDT) Received: from pantherdragon.org (speck.techno.pagans [172.21.42.2]) by spark.techno.pagans (Postfix) with ESMTP id A9733FEBE for ; Wed, 26 Jun 2002 14:34:06 -0700 (PDT) Message-ID: <3D1A334E.40076AD0@pantherdragon.org> Date: Wed, 26 Jun 2002 14:34:06 -0700 From: Darren Pilgrim X-Mailer: Mozilla 4.76 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Now I'm really confused! Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I know a great deal of you are utterly sick and tired with the whole OpenSSH fiasco. I am too, but I'm also really confused, and now worried about the security of my machine. I upgraded OpenSSH to 3.3p1 only to be told that the stock version I had wasn't vulnerable. I've also now been told that "ChallengeResponseAuthentication no" in my sshd_config is the real workaround. My question(s): With v3.3p1, and "ChallengeResponseAuthentication no" in /etc/ssh/sshd_config, from a security standpoint, am I better off, worse off, or at about the same level that I was at with the stock 4.5-R sshd? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message