From owner-freebsd-security Wed Jun 26 12:15:16 2002 Delivered-To: freebsd-security@freebsd.org Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.86.163]) by hub.freebsd.org (Postfix) with ESMTP id BC13E37BED8 for ; Wed, 26 Jun 2002 12:09:45 -0700 (PDT) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.12.3/8.12.2) with ESMTP id g5QJ7aCn007493; Wed, 26 Jun 2002 21:07:37 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) To: William Carrel Cc: Jan Lentfer , FreeBSD Security Mailling List Subject: Re: OpenSSH Security (just a question, please no f-war) In-Reply-To: Your message of "Wed, 26 Jun 2002 11:43:45 PDT." Date: Wed, 26 Jun 2002 21:07:36 +0200 Message-ID: <7492.1025118456@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In message , William Carrel writes : >If and only if you have ChallengeResponseAuthentication set to "yes" then >you are vulnerable to a hole that will allow malicious code to be executed >as the privsep user ("sshd") in the /var/empty chroot(). This could lead to >further compromisation of your system (even inside the chroot as a >relatively unprivileged user). Which reminds me that we should really tweak the code and put it in a jail instead of a chroot. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message