From owner-freebsd-security Tue Jul 2 14:14:18 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 39D0F37C53A for ; Tue, 2 Jul 2002 14:12:55 -0700 (PDT) Received: from newmail.skyrunner.net (newmail.skyrunner.net [208.133.44.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7A03443F57 for ; Tue, 2 Jul 2002 09:47:30 -0700 (PDT) (envelope-from peter@skyrunner.net) Received: from micron (athena.skyrunner.net [208.150.25.130]) by newmail.skyrunner.net (8.11.2/8.11.0/SuSE Linux 8.11.0-0.4) with SMTP id g62GmbK19244 for ; Tue, 2 Jul 2002 12:48:38 -0400 From: "Peter Brezny" To: Subject: Re: CERT Advisory CA-2002-18 OpenSSH Vulnerabilities in Challenge Response Date: Tue, 2 Jul 2002 12:44:36 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.3018.1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org OK, so now that half the freebsd-security list has enlightened me as to what YMMV means and where it came from, I know you guys are reading this list, however, no one bothered to mention why even though openssh's statement says that freebsd has a problem with the version of ssh out there, FreeBSD actually doesn't. Could someone please point me to a specific ref. as to why freebsd's implementation of ssh is ok? I know I'm paranoid. Thanks. From: http://openssh.org/txt/preauth.adv 2. Impact: This bug can be exploited remotely if ChallengeResponseAuthentication is enabled in sshd_config. This option is enabled by default on OpenBSD and other systems. Affected are at least systems supporting s/key over SSH protocol version 2 (OpenBSD, FreeBSD and NetBSD as well as other systems supporting s/key with SSH). Exploitablitly of systems using PAMAuthenticationViaKbdInt has not been verified. Thanks for the help and the enlightening reasons of what YMMV means, Here's a good one Your Memory Might Vanish :) (it's: Your Milage May Vary) And another with a nice explanation. YMMV = "your mileage may vary" A statement often made in advertising by American automobile manufacturers stating that fuel economy in miles/gallon is variable according to driving habits, type of fuel, etc., etc., This has come to mean "I found this to be true, but you may not..." Thanks again for your help guys! Peter Brezny Skyrunner.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message