Quick fix for OpenSSH Vulnerability (was re: [scott@sonic.net: [ops] OpenSSH users read now!]

[Scott Doty]

Thought you might appreciate this quick note...upgrading, of course, is
better, but if a config change can remove the vulnerability immediately, so
much the better.

 -Scott

----- Forwarded message from Scott Doty <scott at sonic.net> -----

Delivered-To: scott at ponzo.sonic.net
Delivered-To: ops at afterburner.sonic.net
Date: Wed, 26 Jun 2002 11:51:39 -0700
From: Scott Doty <scott at sonic.net>
To: Sonic OPS list <ops at lists.sonic.net>
Subject: [ops] OpenSSH users read now!
Reply-To: ops at lists.sonic.net

Anyone running OpenSSH sshd please make the following configuration change
for your daemon.

 -Scott

----- Forwarded message from X-Force <xforce at iss.net> -----

Delivered-To: scott at ponzo.sonic.net
Delivered-To: mailing list bugtraq at securityfocus.com
Delivered-To: moderator for bugtraq at securityfocus.com
Date: Wed, 26 Jun 2002 09:56:07 -0400 (EDT)
To: bugtraq at securityfocus.com
From: X-Force <xforce at iss.net>
Subject: [bt] ISS Advisory: OpenSSH Remote Challenge Vulnerability


Internet Security Systems Security Advisory
June 26, 2002

OpenSSH Remote Challenge Vulnerability

[...]

ISS X-Force recommends that system administrators disable unused OpenSSH
authentication mechanisms. Administrators can remove this vulnerability
by disabling the Challenge-Response authentication parameter within the
OpenSSH daemon configuration file. This filename and path is typically:
/etc/ssh/sshd_config. To disable this parameter, locate the
corresponding line and change it to the line below:

ChallengeResponseAuthentication no

The "sshd" process must be restarted for this change to take effect.
This workaround will permanently remove the vulnerability.

[...]

----- End forwarded message -----

----- End forwarded message -----