From owner-freebsd-security Thu Jun 27 2:10:33 2002 Delivered-To: freebsd-security@freebsd.org Received: from gamma.star.spb.ru (gamma.star.spb.ru [217.195.79.1]) by hub.freebsd.org (Postfix) with ESMTP id 920F637B400 for ; Thu, 27 Jun 2002 02:10:24 -0700 (PDT) Received: from green.star.spb.ru (green.star.spb.ru [217.195.79.10]) by gamma.star.spb.ru (8.9.3/8.9.3) with ESMTP id NAA54269; Thu, 27 Jun 2002 13:10:01 +0400 (MSD) Received: from 217.195.79.7 ([217.195.79.7]) by green.star.spb.ru with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id NRJVGR6J; Thu, 27 Jun 2002 13:09:50 +0400 Date: Thu, 27 Jun 2002 13:09:48 +0400 From: "Nickolay A. Kritsky" X-Mailer: The Bat! (v1.49) Personal Reply-To: "Nickolay A. Kritsky" X-Priority: 3 (Normal) Message-ID: <88624007.20020627130948@internethelp.ru> To: D J Hawkey Jr Cc: Steve Ames , Dag-Erling Smorgrav , freebsd-security@FreeBSD.ORG Subject: Re[2]: CERT (Was: Re: NUTS! "Much ado about nothing" -- I need a clearer up or down) In-reply-To: <20020626214957.A2165@sheol.localdomain> References: <200206261711.g5QHB9t00396@sheol.localdomain> <20020626210055.A2065@sheol.localdomain> <20020627022949.GA55324@energistic.com> <20020626214957.A2165@sheol.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello D, Thursday, June 27, 2002, 6:49:57 AM, you wrote: DJHJ> On Jun 26, at 09:29 PM, Steve Ames wrote: >> >> On Wed, Jun 26, 2002 at 09:00:55PM -0500, D J Hawkey Jr wrote: >> > On Jun 27, at 03:49 AM, Dag-Erling Smorgrav wrote: >> > > >> > > hawkeyd@visi.com (D J Hawkey Jr) writes: >> > > > Sorry to be so thick-headed, but between Mike and Jacques, the answer >> > > > to "Is 'OpenSSH_2.9 FreeBSD localisations 20020307' even vulnerable?" >> > > > is "That does appear to be the case.". >> > > >> > > 2.9 is not vulnerable to this particular attack. >> > >> > That's as simple as it gets. Thanks. >> >> That "particular attack"... yep. The CERT advisory seemed to indicate >> that earlier versions also have vulnerabilities? From 2.3.1p1 to 3.3... DJHJ> See below for some observations. For brevity's sake, I've snipped irrelevant DJHJ> text. for brevity's sake I've snipped even more >> Disable PAM authentication via interactive keyboard >> >> For OpenSSH versions greater than 2.9, system administrators can >> disable the vulnerable portion of the code affecting the PAM >> authentication issue by setting the "PAMAuthenticationViaKbdInt" >> configuration option to "no" in their sshd configuration file. >> Typically, this is accomplished by adding the following line to >> /etc/ssh/sshd_config: >> >> PAMAuthenticationViaKbdInt no DJHJ> No such animal with the OpenSSH version in RELENG_4_5. I don't know which version of OpenSSH is used in RELENG_4_5, but for those of you, who run OpenSSH_2.9.9p2, this is what you should know: such option exists, and according to man page is turned off by default. from `man sshd': PAMAuthenticationViaKbdInt Specifies whether PAM challenge response authentication is al- lowed. This allows the use of most PAM challenge response authen- tication modules, but it will allow password authentication re- gardless of whether PasswordAuthentication is disabled. The de- fault is ``no''. ;------------------------------------------- ; NKritsky ; mailto:nkritsky@internethelp.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message