Re: OpenSSH vuln: BSD only?

To: debian-security@lists.debian.org
Subject: Re: OpenSSH vuln: BSD only?
From: Wichert Akkerman <wichert@wiggy.net>
Date: Thu, 27 Jun 2002 12:36:42 +0200
Message-id: <[🔎] 20020627103642.GJ9384@wiggy.net>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 51807.217.198.203.200.1025167124.squirrel@webmail.kern.nl>
References: <[🔎] 1025115618.4335.11.camel@killer> <[🔎] 51807.217.198.203.200.1025167124.squirrel@webmail.kern.nl>

Previously Wim Fournier wrote:
> I just read this over at iss, it seems that the vuln only exists for
> default installations of BSD and only for S-KEY and BSD authentication.

That advisory sucks :). Keyboard-interactive authentication is
vulnerable, and we use that for PAM as well by default (that makes PAM
modules which use a conversation function like libpam-opie work).

Wichert.

-- 
  _________________________________________________________________
 /wichert@wiggy.net         This space intentionally left occupied \
| wichert@deephackmode.org            http://www.liacs.nl/~wichert/ |
| 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0  2805 3CB8 9250 2FA3 BC2D |


-- 
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

References:
- OpenSSH 3.4 released... should FIX problems
  - From: Mark Janssen <maniac@maniac.nl>
- OpenSSH vuln: BSD only?
  - From: "Wim Fournier" <wim@kern.nl>

Prev by Date: Re: openssh packages not vulnerable
Next by Date: Re: [Fwd: ISS Advisory: OpenSSH Remote Challenge Vulnerability]
Previous by thread: Re: OpenSSH vuln: BSD only?
Next by thread: openssh packages not vulnerable
Index(es):
- Date
- Thread