Mailinglist Archive: opensuse-security (334 mails)

< Previous Next >
Portable OpenSSH Security Advisory: sshpam.adv
  • From: Simon Oliver <simon.oliver@xxxxxxxxxxx>
  • Date: Wed, 24 Sep 2003 09:49:39 +0100
  • Message-id: <3F715AA3.6010609@xxxxxxxxxxx>
Please see below for details of another openssh advisory.

Is the current patched version of SuSE vulnerable to this attack?

The advisory warns that we are vulnerable if privsep is disabled - the most recent patch from SuSE disabled privsep by default!

I like the idea of privsep, please can somebody at SuSE answer the following:

1. How do I re-enable privsep - is it enough to turn it on in the sshd_config?
2. What is the problem with enabling privsep in the latest release?
3. How do I check that privsep is actually working - there doesn't seem to be any record of it in the syslog.
4. I am used to restricting access to many services via the hosts.allow - will this help if there is an sshd exploit?

Thanks

--
Simon Oliver

This document can be found at: http://www.openssh.com/txt/sshpam.adv

1. Versions affected:

Portable OpenSSH versions 3.7p1 and 3.7.1p1 contain multiple
vulnerabilities in the new PAM code. At least one of these bugs
is remotely exploitable (under a non-standard configuration,
with privsep disabled).

The OpenBSD releases of OpenSSH do not contain this code and
are not vulnerable. Older versions of portable OpenSSH are not
vulnerable.

2. Solution:

Upgrade to Portable OpenSSH 3.7.1p2 or disable PAM
support ("UsePam no" in sshd_config).

Due to complexity, inconsistencies in the specification and
differences between vendors' PAM implementations we recommend
that PAM be left disabled in sshd_config unless there is a need
for its use. Sites only using public key or simple password
authentication usually have little need to enable PAM support.





< Previous Next >
Follow Ups