Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 23 Sep 2003 16:53:18 -0400
From:      Haesu <haesu@towardex.com>
To:        Michael Sierchio <kudzu@tenebras.com>, security@freebsd.org
Subject:   Re: OpenSSH: multiple vulnerabilities in the new PAM code
Message-ID:  <20030923205318.GB3346@scylla.towardex.com>
In-Reply-To: <3F705D4D.4070404@tenebras.com>
References:  <3F705D4D.4070404@tenebras.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
Oh jee, here we go again. Hey, at least patched 3.5p1 on FreeBSD 4.8/4.9 are not effected :)

-hc

-- 
Haesu C.
TowardEX Technologies, Inc.
Consulting, colocation, web hosting, network design and implementation
http://www.towardex.com | haesu@towardex.com
Cell: (978)394-2867     | Office: (978)263-3399 Ext. 174
Fax: (978)263-0033      | POC: HAESU-ARIN

On Tue, Sep 23, 2003 at 07:48:45AM -0700, Michael Sierchio wrote:
> This affects only 3.7p1 and 3.7.1p1.  The advice to leave
> PAM disabled is far from heartening, nor is the semi-lame
> blaming the PAM spec for implementation bugs.
> 
> I happen to like OPIE for remote access.
> 
> 
> 
> Subject: Portable OpenSSH Security Advisory: sshpam.adv
> 
> This document can be found at:  http://www.openssh.com/txt/sshpam.adv
> 
> 1. Versions affected:
> 
>         Portable OpenSSH versions 3.7p1 and 3.7.1p1 contain multiple
>         vulnerabilities in the new PAM code. At least one of these bugs
>         is remotely exploitable (under a non-standard configuration,
>         with privsep disabled).
> 
>         The OpenBSD releases of OpenSSH do not contain this code and
>         are not vulnerable. Older versions of portable OpenSSH are not
>         vulnerable.
> 
> 2. Solution:
> 
>         Upgrade to Portable OpenSSH 3.7.1p2 or disable PAM
>         support ("UsePam no" in sshd_config).
> 
>         Due to complexity, inconsistencies in the specification and
>         differences between vendors' PAM implementations we recommend
>         that PAM be left disabled in sshd_config unless there is a need
>         for its use. Sites only using public key or simple password
>         authentication usually have little need to enable PAM
> 
> _______________________________________________
> freebsd-security@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030923205318.GB3346>