OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Sam Bayne (sbaynesccd.ctc.edu)
Date: Wed Jun 26 2002 - 11:12:21 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    So, given the issues:

    > Known issues with OpenSSH 3.3p1:
    > - 2.2 kernel mmap issue worked around with Openwall openssh
    > patch
    > - changing of expired passwords is gone
    > - PAM session management is no longer done as root, which
    > breaks
    > some PAM setups, but not default ImmunixOS pam.
    > - PAM keyboard-interactive is not yet supported with privsep.
    > This is not the default mode of operation in ImmunixOS.
    > - There's no logging for (failed) attempts to log in as an
    > unknown username via protocol 2. (there is a logging patch
    > applied for another issue.)
    > - possible hangs in the client(?)/server(?) when closing an
    > ssh session.
    > - GSSAPI + privilege separation likely does not work.

    and that the vulnerability seems to be in SKEY and BSD_AUTH , such that:
     
    >ISS X-Force recommends that system administrators disable unused OpenSSH
    >authentication mechanisms. Administrators can remove this vulnerability
    >by disabling the Challenge-Response authentication parameter within the
    >OpenSSH daemon configuration file. This filename and path is typically:
    >/etc/ssh/sshd_config. To disable this parameter, locate the
    >corresponding line and change it to the line below:

    >ChallengeResponseAuthentication no

    Is everybody rushing to update? I'm trying to gauge best practice here,
    not
    put anybody on the spot.

    I'd usually update immediately by reflex, but this patch looks to cause
    issues.
    (possible hangs in server on close).

    I don't use challengeResponseAuth, (and I suspect that most don't,
    public key
    is so much more convenient), so it seems we've got an easy way to extend
    the use of the existing version until 3.3 actually functions.

    I'd also like to thank the folks at Wirex for pushing this patch through
    so fast,
    despite what certainly looks like uncooperative public list behavior
    from tdr. 

    -- 
-------------------------------------
Sam Bayne - System Administrator
North Seattle Community College
sbaynesccd.ctc.edu     (206)527-3762
=====================================
_______________________________________________
Immunix-users mailing list
Immunix-usersmail.wirex.com
http://mail.wirex.com/mailman/listinfo/immunix-users