Re: OpenSSH
On 26/6/02 8:41 pm, Chris Ball [EMAIL PROTECTED] wrote: Chris == Chris Devers [EMAIL PROTECTED] writes: Chris Weren't there two recent SSH vulnerabilities? (Hence upgrades Chris from 3.2-3.3, and now on the heels of that 3.3-3.4?) Does Chris this setting inoculate users against both problems? No, there was one ssh _advisory_ from Theo, saying that we should all be running 3.3 with privsep because of some bugs in the network handling code. He refused to give a patch for the bug. Today's _exploit_ uses that bug to get remote root access. It's the same vulnerability both times. Turning off challengeauth protects against today's exploit of the network code vulnerablity. AIUI, - Chris. It should possibly be pointed out that SSH protocol 1 Blowfish support may have been broken around 3.3. Now I know most same people will be using protocol 2 but there may be occasions when there is only a windows client around and you have no choice. To get round this you have to use 3des which obviously brings it's own problems. I haven't seen his reported anywhere yet, but am aware of it from discussions elsewhere. Neil. -- Neil Ford [EMAIL PROTECTED] | [EMAIL PROTECTED]
Re: OpenSSH
On Thu, 27 Jun 2002, Neil Ford wrote: It should possibly be pointed out that SSH protocol 1 Blowfish support may have been broken around 3.3. Now I know most same people will be using protocol 2 but there may be occasions when there is only a windows client around and you have no choice. To get round this you have to use 3des which obviously brings it's own problems. You mean there are still people using teraterm, rather than putty ? the hatter
Re: OpenSSH
On Thu, Jun 27, 2002 at 08:47:01AM +, the hatter wrote: You mean there are still people using teraterm, rather than putty ? Yes, on the rare occasions that I use windows to ssh. Putty cannot print. -- Natalie S. Ford ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø [EMAIL PROTECTED] http://www.natalie.ourshack.org/ http://natalief.livejournal.com/
Re: OpenSSH
On Thu, Jun 27, 2002 at 02:10:46PM +0100, Natalie S. Ford wrote: Yes, on the rare occasions that I use windows to ssh. Putty cannot print. It does have a Copy All to Clipboard feature which would mean the times you want to print it'd be all there. Or of course, copy/paste in the main window if you just want that. http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe Paul -- Paul Makepeace ... http://paulm.com/ What is the sun's temperature? Spanish speaking dolphins. -- http://paulm.com/toys/surrealism/
OpenSSH
Sorry if this is old hat to everybody (I only get the digest of this list once or twice a day so you may already be discussing it) butthere is a vulnerability in recent versions of OpenSSH. http://slashdot.org/articles/02/06/26/1547242.shtml?tid=172 Apparently you can temporarily fix the problem by making sure sshd_config says ChallengeResponseAuthentication no Dunno enough about security to say whether this is important or not. Yeah yeah, I know nothing to do with perl but I bet this has the highest proportion of sys admins of any mailing list I am on. And this comes less than a day after I upgraded Apache because of a different vulnerability. Alex Mc
Re: OpenSSH
Alex == Alex McLintock [EMAIL PROTECTED] writes: Alex Sorry if this is old hat to everybody (I only get the digest Alex of this list once or twice a day so you may already be Alex discussing it) butthere is a vulnerability in recent Alex versions of OpenSSH. We haven't discussed. Yes, it is important for anyone running versions of OpenSSH between 3.0-3.2 who _doesn't_ have: Alex ChallengeResponseAuthentication no in their sshd_config to upgrade now. Most sane distributions (like Debian) install sshd with this line as Alex sent it, which means that you aren't vulnerable to today's exploit. If you're running a standard Red Hat sshd_config with OpenSSH 3.0-3.2, though, get upgrading. OpenSSH 3.4 was released today, so it's worthwhile to upgrade to that and enable privilege separation - at least, according to Theo. :) Comedy point: openbsd.org now advertises 'One remote hole in the default install, in nearly six years!' rather than the ever-present 'No remote holes in the default install in five years!'. - Chris. -- $a=printf.net; Chris Ball | chris@void.$a | www.$a | finger: chris@$a Blessings to the chap who invented ice cream, ginger-pop and the rest! I'd rather invent things like that any day than rockets and bombs. -- Julian, Five on Finniston Farm
Re: OpenSSH
Chris Ball wrote: Alex == Alex McLintock [EMAIL PROTECTED] writes: Alex Sorry if this is old hat to everybody (I only get the digest Alex of this list once or twice a day so you may already be Alex discussing it) butthere is a vulnerability in recent Alex versions of OpenSSH. We haven't discussed. Yes, it is important for anyone running versions of OpenSSH between 3.0-3.2 who _doesn't_ have: Alex ChallengeResponseAuthentication no in their sshd_config to upgrade now. Weren't there two recent SSH vulnerabilities? (Hence upgrades from 3.2-3.3, and now on the heels of that 3.3-3.4?) Does this setting inoculate users against both problems? Comedy point: openbsd.org now advertises 'One remote hole in the default install, in nearly six years!' rather than the ever-present 'No remote holes in the default install in five years!'. heh :) -- Chris Devers [EMAIL PROTECTED] DO NOT LEAVE IT IS NOT REAL
Re: OpenSSH
Chris == Chris Devers [EMAIL PROTECTED] writes: Chris Weren't there two recent SSH vulnerabilities? (Hence upgrades Chris from 3.2-3.3, and now on the heels of that 3.3-3.4?) Does Chris this setting inoculate users against both problems? No, there was one ssh _advisory_ from Theo, saying that we should all be running 3.3 with privsep because of some bugs in the network handling code. He refused to give a patch for the bug. Today's _exploit_ uses that bug to get remote root access. It's the same vulnerability both times. Turning off challengeauth protects against today's exploit of the network code vulnerablity. AIUI, - Chris. -- $a=printf.net; Chris Ball | chris@void.$a | www.$a | finger: chris@$a Blessings to the chap who invented ice cream, ginger-pop and the rest! I'd rather invent things like that any day than rockets and bombs. -- Julian, Five on Finniston Farm