-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ Caldera International, Inc. Security Advisory Subject: Linux: OpenSSH Vulnerabilities in Challenge Response Handling Advisory number: CSSA-2002-030.0 Issue date: 2002 June 27 Cross reference: ______________________________________________________________________________ 1. Problem Description Several vulnerabilities have been reported in OpenSSH if the S/KEY or BSD Auth features have been enabled, or if PAMAuthenticationViaKbdInt has been enabled. 2. Vulnerable Supported Versions System Package ---------------------------------------------------------------------- OpenLinux 3.1.1 Server prior to and including openssh-3.2.3p1-2 OpenLinux 3.1.1 Workstation prior to and including openssh-3.2.3p1-2 OpenLinux 3.1 Server prior to and including openssh-3.2.3p1-2 OpenLinux 3.1 Workstation prior to and including openssh-3.2.3p1-2 3. Solution Caldera OpenLinux OpenSSH has neither the S/KEY nor BSD Auth features compiled in, so it is not vulnerable to the Challenge/Response vulnerability. We do have the ChallengeResponseAuthentication option on by default, however, so to be safe, we recommend that the option be disabled (set to no) in the /etc/ssh/sshd_config file. In addition, the sshd_config PAMAuthenticationViaKbdInt option is disabled by default, so OpenLinux is not vulnerable to the other alleged vulnerability in a default configuration, either. However, Caldera recommends that this option also be disabled (set to no) if it has been enabled by the system administrator. 4. References Specific references for this advisory: http://www.cert.org/advisories/CA-2002-18.html Caldera security resources: http://www.caldera.com/support/security/index.html 5. Disclaimer Caldera International, Inc. is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of Caldera products. ______________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iEYEARECAAYFAj0bXRAACgkQbluZssSXDTHiLQCeMb1GV14GQQW4/qI9pZ1b8GkE jCUAoMfHN2HrA30hoh5mleu8m9Vdjtmg =CH2/ -----END PGP SIGNATURE-----