On 26 Jun 2002, Gordon Messmer wrote: > On Wed, 2002-06-26 at 09:05, M A Young wrote: > > In case people haven't seen it, according to > > http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20584 > > You can secure your system from the recent ssh security hole by turning > > off "challenge-response" authentication and restarting sshd. > > Reviewing the announcement, I wonder if this affects Red Hat's OpenSSH > at all... The output of the configure process indicates positively that > the affected BSD Auth and S/KEY authentication mechanisms are not > available (see below), and connecting to a RHL machine with 'ssh -v' > does not indicate that any challenge-response authentication mechanisms > are available.
The "bug" does not appear to affect Redhat supplied OpenSSH, neither S/KEY not BSD Auth is configured. Gordon is correct as far as I can tell, THERE IS NO VUNLERABILITY for Redhat supplied OpenSSH for this particular issue. There is NO NEED to upgrade yet. I've heard of at least one possible hole in the 3.3 version (sorry, lost the link) so don't upgrade blindly. I haven't grabbed a SRPM yet to absolutely verify this, but I will do so and I would expect an announcement from Redhat soon as well. Later, Bill Carlson -- Systems Programmer [EMAIL PROTECTED] | Anything is possible, Virtual Hospital http://www.vh.org/ | given time and money. University of Iowa Hospitals and Clinics | Opinions are mine, not my employer's. | _______________________________________________ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
