OpenSSH: multiple vulnerabilities in the new PAM code
Haesu
haesu at towardex.com
Tue Sep 23 13:52:59 PDT 2003
Oh jee, here we go again. Hey, at least patched 3.5p1 on FreeBSD 4.8/4.9 are not effected :)
-hc
--
Haesu C.
TowardEX Technologies, Inc.
Consulting, colocation, web hosting, network design and implementation
http://www.towardex.com | haesu at towardex.com
Cell: (978)394-2867 | Office: (978)263-3399 Ext. 174
Fax: (978)263-0033 | POC: HAESU-ARIN
On Tue, Sep 23, 2003 at 07:48:45AM -0700, Michael Sierchio wrote:
> This affects only 3.7p1 and 3.7.1p1. The advice to leave
> PAM disabled is far from heartening, nor is the semi-lame
> blaming the PAM spec for implementation bugs.
>
> I happen to like OPIE for remote access.
>
>
>
> Subject: Portable OpenSSH Security Advisory: sshpam.adv
>
> This document can be found at: http://www.openssh.com/txt/sshpam.adv
>
> 1. Versions affected:
>
> Portable OpenSSH versions 3.7p1 and 3.7.1p1 contain multiple
> vulnerabilities in the new PAM code. At least one of these bugs
> is remotely exploitable (under a non-standard configuration,
> with privsep disabled).
>
> The OpenBSD releases of OpenSSH do not contain this code and
> are not vulnerable. Older versions of portable OpenSSH are not
> vulnerable.
>
> 2. Solution:
>
> Upgrade to Portable OpenSSH 3.7.1p2 or disable PAM
> support ("UsePam no" in sshd_config).
>
> Due to complexity, inconsistencies in the specification and
> differences between vendors' PAM implementations we recommend
> that PAM be left disabled in sshd_config unless there is a need
> for its use. Sites only using public key or simple password
> authentication usually have little need to enable PAM
>
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
More information about the freebsd-security
mailing list