"Logan Kennelly" <voltage_spike@fastmail.fm> wrote:

> [...]
> You have probably already done this, but OpenSSH 3.3p1 is still
vulnerable.
> The key is that it now supports privilege separation which should trap
them
> in a little box where they can't do anything.  To enable this, add the
> following line to your sshd config file.
>
> UsePrivilegeSeparation yes

Thanks Logan. Someone on another list also pointed me to
http://www.kb.cert.org/vuls/id/369347 which also seems to be a good,
concise description of the problem, and possible workarounds. For ssh >
2.9, they recommend:

ChallengeResponseAuthentication no
PAMAuthenticationViaKbdInt no

along with your recommendation. It sounds like this is a moving target,
at least until 3.4 is readily available.

- Bob