=?iso-8859-1?Q?Iv=E1n_Arce?= <[EMAIL PROTECTED]> writes:
> Solution/Vendor Information/Workaround:
[...]
>  SSH.com
>   ssh-1 up to version 1.2.31 is vulnerable.
>   The official response from SSH.com follows:
>
>   -SSH1 is deprecated and SSH.com does not support it
>    anymore, the official response is upgrade to SSH2
>   -The SSH1 compatibility code built into SSH-2.4.0 always executes a
>    fresh copy of SSHD1, which causes the server key to be regenerated
>    for every connection.  Thus, the attack is not at all feasible when
>    using SSH1 with an SSH2 server in compatibility mode.

I run a version 1 ssh.com sshd out of inetd using Wietse Venema's tcpd
because tcp_wrappers support is incomplete/buggy in the daemon itself (at
least in 1.2.27 -- haven't re-tested the later versions to see if they fix
this).  The daemon linked with libwrap doesn't support the rfc931 action and
I've had problems with it being overly permissive when specifying allowed IP
ranges.

In this case:

    ssh stream tcp nowait root /usr/local/sbin/tcpd /usr/local/sbin/sshd -i

as in the 2.4.0 SSH1 compatibility case mentioned above, there's a fresh
daemon for each connection.  Annoying waiting for the server key to be
generated for each connection if your machine isn't blazing fast, but a side
effect is that this attack is prevented.

----------------------------------------------------------------------
Dan Harkless                   | To prevent SPAM contamination, please
[EMAIL PROTECTED]  | do not mention this private email
SpeedGate Communications, Inc. | address in Usenet posts.  Thank you.

Reply via email to