Date: Thu, 27 Jun 2002 11:52:21 -0700
From: security@caldera.com
To: bugtraq@securityfocus.com, announce@lists.caldera.com,
Subject: Security Update: [CSSA-2002-030.0] Linux: OpenSSH Vulnerabilities in Challenge Response Handling
--GxcwvYAGnODwn7V8
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
To: bugtraq@securityfocus.com announce@lists.caldera.com security-alerts@linuxsecurity.com
______________________________________________________________________________
Caldera International, Inc. Security Advisory
Subject: Linux: OpenSSH Vulnerabilities in Challenge Response Handling
Advisory number: CSSA-2002-030.0
Issue date: 2002 June 27
Cross reference:
______________________________________________________________________________
1. Problem Description
Several vulnerabilities have been reported in OpenSSH if the
S/KEY or BSD Auth features have been enabled, or if
PAMAuthenticationViaKbdInt has been enabled.
2. Vulnerable Supported Versions
System Package
----------------------------------------------------------------------
OpenLinux 3.1.1 Server prior to and including openssh-3.2.3p1-2
OpenLinux 3.1.1 Workstation prior to and including openssh-3.2.3p1-2
OpenLinux 3.1 Server prior to and including openssh-3.2.3p1-2
OpenLinux 3.1 Workstation prior to and including openssh-3.2.3p1-2
3. Solution
Caldera OpenLinux OpenSSH has neither the S/KEY nor BSD Auth
features compiled in, so it is not vulnerable to the
Challenge/Response vulnerability.
We do have the ChallengeResponseAuthentication option on by
default, however, so to be safe, we recommend that the option
be disabled (set to no) in the /etc/ssh/sshd_config file.
In addition, the sshd_config PAMAuthenticationViaKbdInt option
is disabled by default, so OpenLinux is not vulnerable to the
other alleged vulnerability in a default configuration,
either. However, Caldera recommends that this option also be
disabled (set to no) if it has been enabled by the system
administrator.
4. References
Specific references for this advisory:
http://www.cert.org/advisories/CA-2002-18.html
Caldera security resources:
http://www.caldera.com/support/security/index.html
5. Disclaimer
Caldera International, Inc. is not responsible for the misuse
of any of the information we provide on this website and/or
through our security advisories. Our advisories are a service
to our customers intended to promote secure installation and
use of Caldera products.
______________________________________________________________________________
--GxcwvYAGnODwn7V8
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (SCO_SV)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAj0bXuUACgkQbluZssSXDTGrtgCfTd4ZGbDu1G4aeHZUpijxwY9Y
kxQAoLGf0NrR2+53GcS4EXr1fp03kZaW
=/5GD
-----END PGP SIGNATURE-----
--GxcwvYAGnODwn7V8--
