On Wed, 2002-06-26 at 09:05, M A Young wrote: > In case people haven't seen it, according to > http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20584 > You can secure your system from the recent ssh security hole by turning > off "challenge-response" authentication and restarting sshd.
Reviewing the announcement, I wonder if this affects Red Hat's OpenSSH at all... The output of the configure process indicates positively that the affected BSD Auth and S/KEY authentication mechanisms are not available (see below), and connecting to a RHL machine with 'ssh -v' does not indicate that any challenge-response authentication mechanisms are available. It seems to me that Red Hat is free to take their time about providing an update to OpenSSH 3.4, making damn sure it works right. We've seen several reports of upgrades that don't work quite right, and some of us wouldn't be able to update to a broken version for any reason (firewalls /good/...). Does anyone have a more informed opinion? RHL OpenSSH build: OpenSSH has been configured with the following options: User binaries: /usr/bin System binaries: /usr/sbin Configuration files: /etc/ssh Askpass program: /usr/libexec/openssh/ssh-askpass Manual pages: /usr/share/man/manX PID file: /var/run sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin Manpage format: doc PAM support: yes KerberosIV support: no Smartcard support: no AFS support: no S/KEY support: no TCP Wrappers support: yes MD5 password support: no IP address in $DISPLAY hack: no Use IPv4 by default hack: no Translate v4 in v6 hack: yes BSD Auth support: no Random number source: OpenSSL internal ONLY Host: i386-redhat-linux-gnu Compiler: i386-redhat-linux-gcc Compiler flags: -O2 -march=i386 -mcpu=i686 -Wall -Wpointer-arith -Wno-uninitialized Preprocessor flags: Linker flags: Libraries: -lwrap -lpam -ldl -lutil -lz -lnsl -lcrypto _______________________________________________ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list