SSH - Preparing for the big one (was Re: SSH Exploit Revealed (fwd))
Bob George
plug-discuss@lists.plug.phoenix.az.us
Wed, 26 Jun 2002 21:18:48 -0700
"Logan Kennelly" <voltage_spike@fastmail.fm> wrote:
> [...]
> You have probably already done this, but OpenSSH 3.3p1 is still
vulnerable.
> The key is that it now supports privilege separation which should trap
them
> in a little box where they can't do anything. To enable this, add the
> following line to your sshd config file.
>
> UsePrivilegeSeparation yes
Thanks Logan. Someone on another list also pointed me to
http://www.kb.cert.org/vuls/id/369347 which also seems to be a good,
concise description of the problem, and possible workarounds. For ssh >
2.9, they recommend:
ChallengeResponseAuthentication no
PAMAuthenticationViaKbdInt no
along with your recommendation. It sounds like this is a moving target,
at least until 3.4 is readily available.
- Bob