Date: Wed, 26 Jun 2002 21:49:57 -0500 From: D J Hawkey Jr <hawkeyd@visi.com> To: Steve Ames <steve@energistic.com> Cc: Dag-Erling Smorgrav <des@ofug.org>, freebsd-security@FreeBSD.ORG Subject: Re: CERT (Was: Re: NUTS! "Much ado about nothing" -- I need a clearer up or down) Message-ID: <20020626214957.A2165@sheol.localdomain> In-Reply-To: <20020627022949.GA55324@energistic.com>; from steve@energistic.com on Wed, Jun 26, 2002 at 09:29:49PM -0500 References: <UqmS8.2068$eH2.1608821@ruti.visi.com> <200206261711.g5QHB9t00396@sheol.localdomain> <xzpr8itxzgm.fsf@flood.ping.uio.no> <20020626210055.A2065@sheol.localdomain> <20020627022949.GA55324@energistic.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Jun 26, at 09:29 PM, Steve Ames wrote:
>
> On Wed, Jun 26, 2002 at 09:00:55PM -0500, D J Hawkey Jr wrote:
> > On Jun 27, at 03:49 AM, Dag-Erling Smorgrav wrote:
> > >
> > > hawkeyd@visi.com (D J Hawkey Jr) writes:
> > > > Sorry to be so thick-headed, but between Mike and Jacques, the answer
> > > > to "Is 'OpenSSH_2.9 FreeBSD localisations 20020307' even vulnerable?"
> > > > is "That does appear to be the case.".
> > >
> > > 2.9 is not vulnerable to this particular attack.
> >
> > That's as simple as it gets. Thanks.
>
> That "particular attack"... yep. The CERT advisory seemed to indicate
> that earlier versions also have vulnerabilities? From 2.3.1p1 to 3.3...
See below for some observations. For brevity's sake, I've snipped irrelevant
text.
> -Steve
>
>
> CERT Advisory CA-2002-18 OpenSSH Vulnerabilities in Challenge Response
> Handling
>
> [SNIP]
>
> III. Solution
>
> [SNIP]
>
> Disable challenge response authentication
>
> For OpenSSH versions greater than 2.9, system administrators can
> disable the vulnerable portion of the code by setting the
> "ChallengeResponseAuthentication" configuration option to "no" in
> their sshd configuration file. Typically, this is accomplished by
> adding the following line to /etc/ssh/sshd_config:
>
> ChallengeResponseAuthentication no
This I did when I enabled SSH. Seems a mis-match on this between clients
and servers can go a little weird.
> Disable PAM authentication via interactive keyboard
>
> For OpenSSH versions greater than 2.9, system administrators can
> disable the vulnerable portion of the code affecting the PAM
> authentication issue by setting the "PAMAuthenticationViaKbdInt"
> configuration option to "no" in their sshd configuration file.
> Typically, this is accomplished by adding the following line to
> /etc/ssh/sshd_config:
>
> PAMAuthenticationViaKbdInt no
No such animal with the OpenSSH version in RELENG_4_5.
> Disable both options in older versions of OpenSSH
>
> For OpenSSH versions between 2.3.1p1 and 2.9, system adminstrators
> will instead need to set the following options in their ssh
> configuration file:
>
> KbdInteractiveAuthentication no
> ChallengeResponseAuthentication no
The first doesn't exist in the the OpenSSH version in RELENG_4_5.
Would I be naive - or stupid - in assuming that those features that aren't
even implemented cannot be vulnerable?
Dave
--
______________________ ______________________
\__________________ \ D. J. HAWKEY JR. / __________________/
\________________/\ hawkeyd@visi.com /\________________/
http://www.visi.com/~hawkeyd/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020626214957.A2165>