"Logan Kennelly" <
voltage_spike@fastmail.fm> wrote:
> [...]
> You have probably already done this, but OpenSSH 3.3p1 is still
vulnerable.
> The key is that it now supports privilege separation which should trap
them
> in a little box where they can't do anything. To enable this, add the
> following line to your sshd config file.
>
> UsePrivilegeSeparation yes
Thanks Logan. Someone on another list also pointed me to
http://www.kb.cert.org/vuls/id/369347 which also seems to be a good,
concise description of the problem, and possible workarounds. For ssh >
2.9, they recommend:
ChallengeResponseAuthentication no
PAMAuthenticationViaKbdInt no
along with your recommendation. It sounds like this is a moving target,
at least until 3.4 is readily available.
- Bob
(text/plain)