[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Is there a new ssh somewhere? (was Re: Use opie on Debian central servers to prevent password sniffing?)

From: Tim Freeman <tim@fungible.com>
>it says the Debian machines were compromised by password sniffing from
>other compromised machines.  If you use one time passwords instead,
>then password sniffing doesn't yield useful information and the damage
>from this sort of failure would be more limited.
>Is there some issue with opie that would cause problems when using it
>on the Debian servers?

From: Philippe Troin <phil@fifi.org>
>I haven't look at OPIE for ages, but when using it with ssh, doesn't
>it force you to turn privilege separation off in /etc/ssh/sshd_config?

From: Tim Freeman <tim@fungible.com>
Date: Wed, 10 Dec 2003 14:20:03 -0700
>Yes, using opie and pam and sshd all at once requires turning off
>privilege separation for sshd.

According to the changelog entries, this is fixed in 3.7p1 of openssh,
which came out on September 19, 2003.

As of December 17, the version of ssh in Debian unstable was 3.6.1p2.  

Any plans to have a new version of ssh out in unstable any time soon?
Is there an experimental openssh package with 3.7p1 or better?

Tim Freeman                                                  tim@fungible.com
I xeroxed a mirror. Now I have an extra xerox machine.       -- Steven Wright

Reply to: