Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Distribution: Debian, Red Hat, Slackware, Fedora, Ubuntu
OpenSSH - Major Security Vulnerability
The OpenSSH vulnerability has been disclosed and affects all recent versions.
At least one major security vulnerability exists in many deployed OpenSSH versions (2.9.9 to 3.3). Please see the ISS advisory, or our own OpenSSH advisory on this topic where simple patches are provided for the pre-authentication problem. Systems running with UsePrivilegeSeparation yes or ChallengeResponseAuthentication no are not affected.
The 3.4 release contain many other fixes done over a week long audit started when this issue came to light. We believe that some of those fixes are likely to be important security fixes. Therefore, we urge an upgrade to 3.4.
Everyone should upgrade to 3.4p1 ASAP. You can also:
Disable ChallengeResponseAuthentication in sshd_config.
Disable PAMAuthenticationViaKbdInt in sshd_config.
for distro which is not using PAM, S/KEY and BSD_AUTH such as slackware is not vulnerable ( i guess )
AFAIK this seems correct. Any distro where OpenSSH 2.9> wasn't compiled with S/Key BSD_AUTH *seems* unaffected. The PAM ViaKbdInt usually seems compiled in, but will need to be enabled by the admin to work as it's disabled by default.
But if you're taking your statement as an argument to *not* upgrade OpenSSH, think again: "Although some earlier versions are not affected upgrading to OpenSSH 3.4 is recommended, because OpenSSH 3.4 adds checks for a class of potential bugs" (ISS adv rev 2).