Date: Thu, 27 Jun 2002 13:09:48 +0400 From: "Nickolay A. Kritsky" <nkritsky@internethelp.ru> To: D J Hawkey Jr <hawkeyd@visi.com> Cc: Steve Ames <steve@energistic.com>, Dag-Erling Smorgrav <des@ofug.org>, freebsd-security@FreeBSD.ORG Subject: Re[2]: CERT (Was: Re: NUTS! "Much ado about nothing" -- I need a clearer up or down) Message-ID: <88624007.20020627130948@internethelp.ru> In-Reply-To: <20020626214957.A2165@sheol.localdomain> References: <UqmS8.2068$eH2.1608821@ruti.visi.com> <200206261711.g5QHB9t00396@sheol.localdomain> <xzpr8itxzgm.fsf@flood.ping.uio.no> <20020626210055.A2065@sheol.localdomain> <20020627022949.GA55324@energistic.com> <20020626214957.A2165@sheol.localdomain>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello D, Thursday, June 27, 2002, 6:49:57 AM, you wrote: DJHJ> On Jun 26, at 09:29 PM, Steve Ames wrote: >> >> On Wed, Jun 26, 2002 at 09:00:55PM -0500, D J Hawkey Jr wrote: >> > On Jun 27, at 03:49 AM, Dag-Erling Smorgrav wrote: >> > > >> > > hawkeyd@visi.com (D J Hawkey Jr) writes: >> > > > Sorry to be so thick-headed, but between Mike and Jacques, the answer >> > > > to "Is 'OpenSSH_2.9 FreeBSD localisations 20020307' even vulnerable?" >> > > > is "That does appear to be the case.". >> > > >> > > 2.9 is not vulnerable to this particular attack. >> > >> > That's as simple as it gets. Thanks. >> >> That "particular attack"... yep. The CERT advisory seemed to indicate >> that earlier versions also have vulnerabilities? From 2.3.1p1 to 3.3... DJHJ> See below for some observations. For brevity's sake, I've snipped irrelevant DJHJ> text. for brevity's sake I've snipped even more <snip> >> Disable PAM authentication via interactive keyboard >> >> For OpenSSH versions greater than 2.9, system administrators can >> disable the vulnerable portion of the code affecting the PAM >> authentication issue by setting the "PAMAuthenticationViaKbdInt" >> configuration option to "no" in their sshd configuration file. >> Typically, this is accomplished by adding the following line to >> /etc/ssh/sshd_config: >> >> PAMAuthenticationViaKbdInt no DJHJ> No such animal with the OpenSSH version in RELENG_4_5. I don't know which version of OpenSSH is used in RELENG_4_5, but for those of you, who run OpenSSH_2.9.9p2, this is what you should know: such option exists, and according to man page is turned off by default. from `man sshd': PAMAuthenticationViaKbdInt Specifies whether PAM challenge response authentication is al- lowed. This allows the use of most PAM challenge response authen- tication modules, but it will allow password authentication re- gardless of whether PasswordAuthentication is disabled. The de- fault is ``no''. ;------------------------------------------- ; NKritsky ; mailto:nkritsky@internethelp.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?88624007.20020627130948>