Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

No subject



---
DDDD   David Kramer                           http://thekramers.net
DK KD  "In a time of drastic change it is the learners who inherit
DKK D  the future. The learned usually find themselves equipped to
DK KD  live in a world that no longer exists."
DDDD                                      - Eric Hoffer (1902-1983)


---------- Forwarded message ----------
Date: Wed, 26 Jun 2002 13:21:12 -0500 (CDT)
Reply-To: redhat-list at redhat.com
To: redhat-list at redhat.com
Subject: [REDHAT] Re: OpenSSH bug workaround *NOT NEEDED*

On 26 Jun 2002, Gordon Messmer wrote:

> On Wed, 2002-06-26 at 09:05, M A Young wrote:
> > In case people haven't seen it, according to
> > http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20584
> > You can secure your system from the recent ssh security hole by turning
> > off "challenge-response" authentication and restarting sshd.
> 
> Reviewing the announcement, I wonder if this affects Red Hat's OpenSSH
> at all...  The output of the configure process indicates positively that
> the affected BSD Auth and S/KEY authentication mechanisms are not
> available (see below), and connecting to a RHL machine with 'ssh -v'
> does not indicate that any challenge-response authentication mechanisms
> are available.

The "bug" does not appear to affect Redhat supplied OpenSSH, neither S/KEY 
not BSD Auth is configured.

Gordon is correct as far as I can tell, THERE IS NO VUNLERABILITY for 
Redhat supplied OpenSSH for this particular issue. There is NO NEED to 
upgrade yet. I've heard of at least one possible hole in the 3.3 version 
(sorry, lost the link) so don't upgrade blindly.

I haven't grabbed a SRPM yet to absolutely verify this, but I will do so 
and I would expect an announcement from Redhat soon as well.

Later,

Bill Carlson
-- 
Systems Programmer    wcarlson at vh.org         | Anything is possible,
Virtual Hospital      http://www.vh.org/      | given time and money.
University of Iowa Hospitals and Clinics      |       
Opinions are mine, not my employer's.         | 



_______________________________________________
Redhat-list mailing list
Redhat-list at redhat.com
https://listman.redhat.com/mailman/listinfo/redhat-list





BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org