SSH - Preparing for the big one (was Re: SSH Exploit Reveale…

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MLogan Kennelly at <-
M 
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: Bob George
Date:  
Subject: SSH - Preparing for the big one (was Re: SSH Exploit Revealed (fwd))
"Logan Kennelly" <> wrote:

> [...]
> You have probably already done this, but OpenSSH 3.3p1 is still
vulnerable.
> The key is that it now supports privilege separation which should trap
them
> in a little box where they can't do anything. To enable this, add the
> following line to your sshd config file.
>
> UsePrivilegeSeparation yes

Thanks Logan. Someone on another list also pointed me to
http://www.kb.cert.org/vuls/id/369347 which also seems to be a good,
concise description of the problem, and possible workarounds. For ssh >
2.9, they recommend:

ChallengeResponseAuthentication no
PAMAuthenticationViaKbdInt no

along with your recommendation. It sounds like this is a moving target,
at least until 3.4 is readily available.

- Bob


This message was posted to the following mailing lists:
Plug Discuss
Mailing List Info | Nearby Messages		<-Crappy Products Cost More!!mysql -> postgres->
Some Mailing List Archive administrated by UnconfiguredLurker (version 2.3)