Mailinglist Archive: opensuse-security (334 mails)

< Previous Next >
Re: [suse-security] Portable OpenSSH Security Advisory: sshpam.adv
  • From: Simon Oliver <simon.oliver@xxxxxxxxxxx>
  • Date: Wed, 24 Sep 2003 14:56:26 +0100
  • Message-id: <3F71A28A.5090809@xxxxxxxxxxx>
--> There is also a "Hosts" directive to restrict logins to specific
IP addresses.
It is not documented and when I tried it (on a box running OpenSSH_3.4p1) sshd start failed, complaining about the Hosts directive (perhaps I formatted it incorrectly).

I did get it working with the AllowUsers directive:

AllowUsers *@*.my.domain

Using this method I find that it still gives the user a login prompt (but always rejects their login unless they are within *.my.domain). Assuming I can trust all machines in *.my.domain, will this actually protect from the vulnerability? At what point in the connection process does the exploit occur - presumably prior to login?

--
Simon Oliver


< Previous Next >
References