[TriLUG] Re: OpenSSH Security Advisory (adv.iss)

Jeremy Katz katzj at linuxpower.org
Wed Jun 26 17:07:26 EDT 2002


On Wed, 2002-06-26 at 15:51, Jeremy P wrote:
> On 26 Jun 2002, Tom 'spot' Callaway wrote:
> > > Just to make sure I've got this right, my config file says:
> > > 
> > > #ChallengeResponseAuthentication yes
> > > 
> > > but it doesn't say what default value is...and it's commented out.
> > > I don't think I've changed this value...so I assume this is the
> > > way it appears in the config at installation (RH 7.2).
> > > 
> > > I think I should change this to:
> > > 
> > > ChallengeResponseAuthentication no
> > > 
> > > Correct?
> > > Was the default value for this setting 'yes'?
> > 
> > No, the default value is no. ChallengeResponseAuthentication is only
> > used for things like s/key. You'd know if you turned it on.
> 
> Actually, ChallengeResponseAuthentication DOES have a default of "yes"
> (see man sshd_config, or look at the sources, to verify this). However, my
> impression is it doesn't really do anything unless you are using s/key
> and/or other esoteric authentication methods.  It isn't clear to me
> whether the *exploits* will work even if you aren't using s/key etc.  But
> setting ChallengeResponseAuthentication no is the best course if you
> aren't using it; in general it's a good idea to turn off anything you
> aren't using.

No, they won't.   Basic flow when CRA is enabled is that it first checks
to see if there are any "devices" available which use CRA (BSD AUTH and
S/KEY are the only two of these in stock openssh and they're not enabled
in at least most if not all Linux vendors' openssh builds).  If there
aren't, it bypasses the keyboard interactive code and thus the bit of
code with the overflow.  

Cheers,

Jeremy





More information about the TriLUG mailing list