Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0

[Lucian Hudin]

>
> >A quick glance at the source code suggests that SSH 2.3.0 and
> >2.4.0 have the same problem.  Is this true?
>
> I suppose we are talking about this section of ssh 2.4.0's
> sshunixuser.c:
>
>    940
>    941          /* Authentication is accepted if the encrypted passwords are 
>identical. */
>    942        #ifdef HAVE_HPUX_TCB_AUTH
>    943          return strncmp(encrypted_password, correct_passwd,
>    944                         strlen(correct_passwd)) == 0;
>    945        #else /* HAVE_HPUX_TCB_AUTH */
>    946          return strcmp(encrypted_password, correct_passwd) == 0;
>    947        #endif /* HAVE_HPUX_TCB_AUTH */
>
> If I read this correctly, it's certainly not a problem unless ssh is
> compiled with HAVE_HPUX_TCB_AUTH defined.  In that case, it may or

the linux compile at least doesn't #define HAVE_HPUX_TCB_AUTH so
the sshd 2.4.0 is not vulnerable on linux.

Luci