LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 24, 2012

A uTouch architecture introduction

LWN.net Weekly Edition for May 17, 2012

Tasting the Ice Cream Sandwich

Highlights from the PostgreSQL 9.2 beta

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Is there <i>any</i> Linux distributor who is vulnerable?

Is there <i>any</i> Linux distributor who is vulnerable?

Posted Jun 28, 2002 14:04 UTC (Fri) by beejaybee (guest, #1581)
In reply to: Is there <i>any</i> Linux distributor who is vulnerable? by JoeBuck
Parent article: Caldera update for OpenSSH

Oh dear. You have the question the wrong way round - is there _any_ linux distribution which isn't vulnerable, or at least has been vulnerable in the very recent past.

Obviously you don't read the security alerts, so:

You are SERIOUSLY vulnerable if you are running ANY version of OpenSSH prior to v3.1 - irrespective of the configuration - for a number of reasons; exploits for the exposed vulnerabilities have been around for a while now, and systems are frequently scanned for evidence of them.

With OpenSSH v3.1, v3.2 & v3.3 you are vulnerable UNLESS you have disabled challenge response authentication, i.e. to be safe you MUST have

ChallengeResponseAuthentication no

in sshd_config.

With OpenSSH v3.1, v3.2 & v3.3 you are vulnerable if you have PAM authentication enabled, i.e. to be safe you MUST NOT have

PAMAuthenticationViaKbdInt yes

in sshd_config.

Don't forget to restart sshd (the required incantation is probably "/etc/rc.d/init.d/sshd restart" if you change sshd_config.

Upgrading to OpenSSH v3.4 is desirable, since disabling services may result in lack of required functionality.

Please don't bury your head in the sand - configure safely or upgrade NOW!

(Log in to post comments)

Is there <i>any</i> Linux distributor who is vulnerable?

Posted Jun 28, 2002 18:19 UTC (Fri) by JoeBuck (subscriber, #2330) [Link]

You clearly misunderstand my point. Debian, Red Hat, Caldera and others were not vulnerable at all to the challenge-response authentication bug, because they did not enable that feature. Same for BSDAuth. That's why I questioned whether they were vulnerable at all; my head is not in the sand. Based on the initial description, it appeared that the vulnerabilities were only in options that the Linux distributors had not enabled.

Similarly, Debian potato has so old a version of ssh that it is not vulnerable either. However, it turns out that the woody version is vulnerable to the PAM/kbdint problem, though there is no known exploit for that one.

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds