Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » CSSA-2002-030.0-OpenSSH Vulnerabilities in Challenge Response Handling

CSSA-2002-030.0-OpenSSH Vulnerabilities in Challenge Response Handling

by Nikola Strahija on June 28th, 2002 Several vulnerabilities have been reported in OpenSSH if the S/KEY or BSD Auth features have been enabled, or if PAMAuthenticationViaKbdInt has been enabled.


2. Vulnerable Supported Versions

System Package
----------------------------------------------------------------------

OpenLinux 3.1.1 Server prior to and including openssh-3.2.3p1-2
OpenLinux 3.1.1 Workstation prior to and including openssh-3.2.3p1-2
OpenLinux 3.1 Server prior to and including openssh-3.2.3p1-2
OpenLinux 3.1 Workstation prior to and including openssh-3.2.3p1-2


3. Solution

Caldera OpenLinux OpenSSH has neither the S/KEY nor BSD Auth
features compiled in, so it is not vulnerable to the
Challenge/Response vulnerability.

We do have the ChallengeResponseAuthentication option on by
default, however, so to be safe, we recommend that the option
be disabled (set to no) in the /etc/ssh/sshd_config file.

In addition, the sshd_config PAMAuthenticationViaKbdInt option
is disabled by default, so OpenLinux is not vulnerable to the
other alleged vulnerability in a default configuration,
either. However, Caldera recommends that this option also be
disabled (set to no) if it has been enabled by the system
administrator.


4. References

Specific references for this advisory:
http://www.cert.org/advisories/CA-2002-18.html

Caldera security resources:
http://www.caldera.com/support/security/index.html


5. Disclaimer

Caldera International, Inc. is not responsible for the misuse
of any of the information we provide on this website and/or
through our security advisories. Our advisories are a service
to our customers intended to promote secure installation and
use of Caldera products.


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »