openssh unix dev - Aug 2001 - OpenSSH 2.9p2 / SSH3 vulnerability?

I have a few questions:

1) Is OpenSSH 2.9p2 (or any other version of OpenSSH) vulnerable to the same
problem as SSH3.0.0?
(described here:
 http://www.kb.cert.org/vuls/id/737451 )

2) There is a "SECURID" patch in the contrib section since 2.5.2p2.  I
am using it, but applying this
patch to each new version is growing more difficult as time goes on.  Would you
consider merging this
function into the core of openssh? (with a configure flag and everything)?  I
would certainly
appreciate it...

3) when is the next version of OpenSSH due to come out?  It seems that a new one
arrives only moments
after I finish my "make install" on 4-5 different platforms.. :-)

Jim Ault, aultj at crd.ge.com

On Tue, 21 Aug 2001, Ault, James R (CRD) wrote:
>
> I have a few questions:
>
> 1) Is OpenSSH 2.9p2 (or any other version of OpenSSH) vulnerable to the
same problem as SSH3.0.0?
> (described here:
>  http://www.kb.cert.org/vuls/id/737451 )
>
I looked around and tried it out.. and I could not find anything that
resembled that security hole in OpenSSH.   I'm sure Markus and other did
a more indepth check.

> 2) There is a "SECURID" patch in the contrib section since
2.5.2p2.  I am using it, but applying this
> patch to each new version is growing more difficult as time goes on.  Would
you consider merging this
> function into the core of openssh? (with a configure flag and everything)? 
I would certainly
> appreciate it...
>
There is?  I don't see it in the -current version of the portable.

I don't believe there is any plans on adding Secure ID.  I no longer
remember the reasons.. <shrug>

But doing a simple grep for "SecureID"  in my archives I see comments
like

"Integrating SecureID is additional complexity which has to be
maintained,"

.. So I think it's a safe bet it will not. =)


Version 3.0 will ship with Crytocard support (currently not tested well
outside of OpenBSD platform).
> 3) when is the next version of OpenSSH due to come out?  It seems that a
new one arrives only moments
> after I finish my "make install" on 4-5 different platforms.. :-)
>
Can't say for sure.=) When ever I do I get corrected by Theo and Markus,
but a release is 'Coming'...  I know Markus would like a release before
Sept.

Unless Damien has any quarms I was going to call for people to
start testing in the next day or so (if I can catch my breath from other
projects).

- Ben

Ault, James R (CRD) wrote:
> 2) There is a "SECURID" patch in the contrib section since
2.5.2p2.
> I am using it, but applying this patch to each new version is growing
> more difficult as time goes on.  Would you consider merging this
> function into the core of openssh? (with a configure flag and
> everything)?  I would certainly appreciate it...
The newest version of this patch is always available at:

http://www.omniti.com/~jesus/projects/

(as it says in the diff included with openssh).

I was latent in getting the OpenSSH maintainer the 2.9p2 patch (read: never 
sent it).  I will try to be better about that for next release.

-- 
Theo Schlossnagle
1024D/82844984/95FD 30F1 489E 4613 F22E  491A 7E88 364C 8284 4984
2047R/33131B65/71 F7 95 64 49 76 5D BA  3D 90 B9 9F BE 27 24 E7