Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Sam Bayne (sbaynesccd.ctc.edu)
Date: Wed Jun 26 2002 - 11:12:21 CDT
So, given the issues:
> Known issues with OpenSSH 3.3p1:
> - 2.2 kernel mmap issue worked around with Openwall openssh
> - changing of expired passwords is gone
> - PAM session management is no longer done as root, which
> some PAM setups, but not default ImmunixOS pam.
> - PAM keyboard-interactive is not yet supported with privsep.
> This is not the default mode of operation in ImmunixOS.
> - There's no logging for (failed) attempts to log in as an
> unknown username via protocol 2. (there is a logging patch
> applied for another issue.)
> - possible hangs in the client(?)/server(?) when closing an
> ssh session.
> - GSSAPI + privilege separation likely does not work.
and that the vulnerability seems to be in SKEY and BSD_AUTH , such that:
>ISS X-Force recommends that system administrators disable unused OpenSSH
>authentication mechanisms. Administrators can remove this vulnerability
>by disabling the Challenge-Response authentication parameter within the
>OpenSSH daemon configuration file. This filename and path is typically:
>/etc/ssh/sshd_config. To disable this parameter, locate the
>corresponding line and change it to the line below:
Is everybody rushing to update? I'm trying to gauge best practice here,
put anybody on the spot.
I'd usually update immediately by reflex, but this patch looks to cause
(possible hangs in server on close).
I don't use challengeResponseAuth, (and I suspect that most don't,
is so much more convenient), so it seems we've got an easy way to extend
the use of the existing version until 3.3 actually functions.
I'd also like to thank the folks at Wirex for pushing this patch through
despite what certainly looks like uncooperative public list behavior
-- ------------------------------------- Sam Bayne - System Administrator North Seattle Community College sbaynesccd.ctc.edu (206)527-3762 ===================================== _______________________________________________ Immunix-users mailing list Immunix-usersmail.wirex.com http://mail.wirex.com/mailman/listinfo/immunix-users