[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [Fwd: ISS Advisory: OpenSSH Remote Challenge Vulnerability]

On Wednesday, 2002-06-26 at 18:14:35 +0200, Mark Janssen wrote:
> >From what I understand, the advisory below is for the security issue
> we've been buggering over for the last 2-3 days.

> As I understand it, there is no need to upgrade to openssh 3.3 and use
> priv-sep code, when we turn of the various challenge-response systems
> discussed below (BSD-AUTH and SKEY).

> AFAIK many people don't need these (What does BSD-Auth do on debian)
> so we should be safe with the old 3.0.2/3.1 SSH packages and these
> options removed from the default install ???

> Can anyone shed any light on this...

> -----Forwarded Message-----
> ... 
> OpenSSH supports the SKEY and BSD_AUTH authentication options. These are
> compile-time options. At least one of these options must be enabled
> before the OpenSSH binaries are compiled for the vulnerable condition to
> be present. OpenBSD 3.0 and later is distributed with BSD_AUTH enabled.
> The SKEY and BSD_AUTH options are not enabled by default in many
> distributions. However, if these options are explicitly enabled, that
> build of OpenSSH may be vulnerable.

I just had a look at openssh-3.0.2p1/debian/rules (3.0.2p1 is included
with woody, before applying woody/updates:

	./configure --prefix=/usr --sysconfdir=/etc/ssh --libexecdir=/usr/lib --mandir=/usr/share/man --with-tcp-wrappers --with-xauth=/usr/bin/X11/xauth --with-rsh=/usr/bin/rsh --with-default-path=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin --disable-suid-ssh --with-pam --with-4in6 --with-ipv4-default

And ./configure --help says:

  --with-skey[=PATH]      Enable S/Key support
                            (optionally in PATH)

So I'd assume S/Key is not included in Woody's 3.0.2p1 .deb. (I'm
not familiar with package building in Debian, so I may be wrong.)

If it really isn't all the hoopla was in vain. Thank you, Theo.
I scrapped OpenBSD because of him. He has confirmed my opinion.
Try to avoid anything contaminated by Theo de Raadt.

I've spent several hours updating left and right, and now this?
How shall I justify this to my client? I can't really charge for
falling for Theo. Seems I took a firm stand and bent over for him.

Lupe Christoph
| lupe@lupe-christoph.de       |           http://www.lupe-christoph.de/ |
| I have challenged the entire ISO-9000 quality assurance team to a      |
| Bat-Leth contest on the holodeck. They will not concern us again.      |
| http://public.logica.com/~stepneys/joke/klingon.htm                    |

To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: