Hey Guys, Ease up... SuSE is doing what they can. The blame goes to Theo for not divulging the actually exploit... (even to the vendors.) If you read the release notes on the new version of SSH, you will find that this version isn't really ready for prime time. There is quite a list of "known problems" with it, including the PAM breakage that many people are experiencing. Now, I am sure that Theo and ISS have a good reason for not divulging the exploit... and even though it goes against the grain of "open source" philosophy, I'd rather they not announce it until a *REAL* fix has been produced. Especially since I have so many exposed machines in different places. - Herman Dave wrote:
----- Original Message ----- From: "M. Neubert"
To: "'Thomas Reitelbach'" ; Sent: Wednesday, June 26, 2002 2:25 AM Subject: RE: [suse-security] OpenSSH 3.3p1 / SuSE 7.3 / no login possible Hello list,
i have the same problem but no answer. My config: SuSE 7.3 / OpenSSH 3.3p1 / MD5-pass
Only Protocol-2 with RSA-Auth is working. What is the problem? MD5 or PAM?
This is my first post to the list, prompted by the OpenSSH 3.3p1 update. I'd like to thank the SuSE team for securing the system - specifically disabling ssh access via keyboard authentication.
I have the same problem, namely md5 passwords on SuSE 7.3 and can no longer get keyboard authentication to work, after disabling compression and privilege seperation.
I sympathise with the pressure the team is under day to day, but can we have a bit more testing next time, please guys? At least make the 2.9.9p2-98 patch available until there is an updated version that authenticates properly (I believe the OpenSSH team is moving for a security fix version by Monday, rather than one which merely coincidentally closes the hole?)
I'm surprised at the haste with which this update was released - especially considering the vague nature of security concerns raised.
Dave Alfar Networks