Is there <i>any</i> Linux distributor who is vulnerable?

Is there <i>any</i> Linux distributor who is vulnerable?

Posted Jun 28, 2002 14:04 UTC (Fri) by beejaybee (guest, #1581)
In reply to: Is there <i>any</i> Linux distributor who is vulnerable? by JoeBuck
Parent article: Caldera update for OpenSSH

Oh dear. You have the question the wrong way round - is there _any_ linux distribution which isn't vulnerable, or at least has been vulnerable in the very recent past.

Obviously you don't read the security alerts, so:

You are SERIOUSLY vulnerable if you are running ANY version of OpenSSH prior to v3.1 - irrespective of the configuration - for a number of reasons; exploits for the exposed vulnerabilities have been around for a while now, and systems are frequently scanned for evidence of them.

With OpenSSH v3.1, v3.2 & v3.3 you are vulnerable UNLESS you have disabled challenge response authentication, i.e. to be safe you MUST have

ChallengeResponseAuthentication no

in sshd_config.

With OpenSSH v3.1, v3.2 & v3.3 you are vulnerable if you have PAM authentication enabled, i.e. to be safe you MUST NOT have

PAMAuthenticationViaKbdInt yes

in sshd_config.

Don't forget to restart sshd (the required incantation is probably "/etc/rc.d/init.d/sshd restart" if you change sshd_config.

Upgrading to OpenSSH v3.4 is desirable, since disabling services may result in lack of required functionality.

Please don't bury your head in the sand - configure safely or upgrade NOW!

---

to post comments