ssh allowing password logins even though its disabled

To: debian-security@lists.debian.org
Subject: ssh allowing password logins even though its disabled
From: tim@fungible.com (Tim Freeman)
Date: Wed, 3 Apr 2002 21:39:21 -0700
Message-id: <[🔎] 20020404054433.05BE67F71@lobus.fungible.com>

I just rediscovered bug 109846 in ssh, 

   "SSH uses PAM password authentication in SSH2 even if disabled"

It's filed as a "normal" bug.  Before I discovered the dup, I was
going to file it as a "grave" bug, since the system involved has weak
passwords (my kids have to be able to log in, and they can't type too
well).  If I had not tested that ssh disables passwords when you tell
it to, it would have allowed fairly easy penetration, so there might
be lots of vulnerable systems out there.

Can anyone clue me in on why other people don't think this is grave,
or lend me encouragment on pushing the priority up?

-- 
Tim Freeman       
tim@fungible.com


-- 
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: ssh allowing password logins even though its disabled
  - From: "Jeremy T. Bouse" <jbouse@debian.org>

Prev by Date: DoS in Shells: was Re: DoS in debian (potato) proftpd: 1.2.0pre10-2.0potato1
Next by Date: Re: DoS in debian (potato) proftpd: 1.2.0pre10-2.0potato1
Previous by thread: Re: DoS in Shells: was Re: DoS in debian (potato) proftpd: 1.2.0pre10-2.0potato1
Next by thread: Re: ssh allowing password logins even though its disabled
Index(es):
- Date
- Thread