openssh unix dev - Dec 2004 - Is there a fix available for CAN-2003-0190

Hi,

Is there a fix available from openssh for the reported vulnerability when 
pam is enabled.
http://www.securityfocus.com/bid/11781

thanks
-logu

Logu wrote:
> Is there a fix available from openssh for the reported vulnerability 
> when pam is enabled.
> http://www.securityfocus.com/bid/11781
You will need to apply both patches.  The first patch 
(openbsd-sshd-kbdint-leak) affects more than PAM, it affects all other 
challenge-response authentications too so it needs wider testing.

Alternatively, for 3.9p1 set "ChallengeResponseAuthentication no" and 
"PasswordAuthentication yes" in sshd_config (and restart sshd,
obviously).

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: openbsd-sshd-kbdint-leak.patch
Url:
http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20041221/937fca15/attachment.ksh
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: openssh-pam-kbdint-leak.patch
Url:
http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20041221/937fca15/attachment-0001.ksh