From owner-freebsd-security  Tue Dec  4  3:10:22 2001
Delivered-To: freebsd-security@freebsd.org
Received: from secure.stargate.net (secure.stargate.net [209.166.165.218])
	by hub.freebsd.org (Postfix) with SMTP id 684A037B417
	for <security@freebsd.org>; Tue,  4 Dec 2001 03:10:17 -0800 (PST)
Received: (qmail 16366 invoked from network); 4 Dec 2001 11:10:21 -0000
Received: from unknown (HELO localhost) (127.0.0.1)
  by localhost with SMTP; 4 Dec 2001 11:10:21 -0000
Date: Tue, 4 Dec 2001 06:10:14 -0500 (EST)
From: SecLists <lists@secure.stargate.net>
To: Chris Johnson <cjohnson@palomine.net>
Cc: Holtor <holtor@yahoo.com>,
	"security@freebsd.org" <security@freebsd.org>
Subject: Re: OpenSSH Vulnerability
In-Reply-To: <20011203213708.A88390@palomine.net>
Message-ID: <Pine.BSO.4.42L0.0112040609180.13776-100000@secure.stargate.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Not sure if you are talking about the freebsd package or the portable
source, but a portable source installation enables sftp by default... just
did one tonight on Solaris 8, OpenSSH 3.0.2p1

Thanks,
shawn

On Mon, 3 Dec 2001, Chris Johnson wrote:

> On Mon, Dec 03, 2001 at 06:28:11PM -0800, Holtor wrote:
> > Is freebsd's SSH vulnerable to this?
> >
> > http://www.securityfocus.com/archive/1/243430
> >
> > The advisory says all versions prior to 2.9.9 are
> > vulnerable and I see sftp-server is on by default in
> > freebsd's sshd_config
>
> How do you figure that? I see:
>
> # Uncomment if you want to enable sftp
> #Subsystem      sftp    /usr/libexec/sftp-server
>
> in my /etc/ssh/sshd_config file, and the sshd man page says, "By default no
> subsystems are defined."
>
> Chris Johnson
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (OpenBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE8DK8d3Qw8DHute6kRApomAJ4i6ZtN0NUBvTI3gzon87Tai2G+pwCglqo9
Y8hNXjxgtmkxwGpqLXYd9jc=
=LT06
-----END PGP SIGNATURE-----



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message