HPE Community
Operating System - HP-UX
1825775 Members
2134 Online
109687 Solutions
New Discussion

Re: another ssh bug - PAM?

 
jmb
Regular Advisor

‎09-30-2003 04:13 AM

‎09-30-2003 04:13 AM

another ssh bug - PAM?

Now getting reports of a new vulnerability affecting the PAM code in OpenSSH. Does anyone know if/how this hits HP's versions and fixes?

Thanks!
0 Kudos
Reply
9 REPLIES 9
Steven E. Protter
Exalted Contributor

‎09-30-2003 04:24 AM

‎09-30-2003 04:24 AM

Re: another ssh bug - PAM?

There has been a recent release of security bug fixes with HP's port of openssh 3.6, which is called secure shell.

HP indicates it deals with recent cert security bullitens.

Here is a link.

http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=T1471AA

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Zeev Schultz
Honored Contributor

‎09-30-2003 04:31 AM

‎09-30-2003 04:31 AM

Re: another ssh bug - PAM?

Its for 3.7/3.7.1. HP version is 3.61.

http://www.openssh.com/txt/sshpam.adv

http://www4.itrc.hp.com/service/cki/secBullArchive.do?admit=-938907319+1064939067860+28353475
So computers don't think yet. At least not chess computers. - Seymour Cray
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎09-30-2003 04:33 AM

‎09-30-2003 04:33 AM

Re: another ssh bug - PAM?

I'd also want to stay current on pam itself.

http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=J5849AA


SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Alzhy
Honored Contributor

‎09-30-2003 05:27 AM

‎09-30-2003 05:27 AM

Re: another ssh bug - PAM?

HP's version is VULNERABLE....

Install Build OpenSSH 3.7.1p2... This addresses both the buffer overflow and PAM issue of Septmber 2003.

HP's officially built SSH is still at 3.6.1p2.... The Connect site has a pre-built 3.7.1.p2 ready for download and build just a few days ago...

As more vulnerabilities would probably be on the horizon, it is better to have your own build environment where you can quickly patch the sources and rebuild... Get gcc 3.3.1, OpenSSH sources and dependencies - Zlib, tcpwrappers and openSSL plus HP's KRNG (strong randomness) package..

HTH.
Hakuna Matata.
0 Kudos
Reply
jmb
Regular Advisor

‎09-30-2003 05:34 AM

‎09-30-2003 05:34 AM

Re: another ssh bug - PAM?

Just curious why you say HP's is vulnerable, when the problem hit in 3.7, and Secure Shell's release is 3.6? That appears to be the explanation above...
0 Kudos
Reply
Alzhy
Honored Contributor

‎09-30-2003 05:45 AM

‎09-30-2003 05:45 AM

Re: another ssh bug - PAM?

The buffer overflow applies to all versions up to 3.7.1. 3.7.1p1 solves the buffer overflow. 3.7.1.p2 solves the PAM thingy...

I don't think the SEP2003 HP SSH is patched yet as the sources are based on 3.6.1p2.
Hakuna Matata.
0 Kudos
Reply
Krzysztof Grudzinski
Occasional Advisor

‎09-30-2003 09:46 AM

‎09-30-2003 09:46 AM

Re: another ssh bug - PAM?

http://www.openssh.com/txt/buffer.adv

The question is if the patch is included.

Another soultion: Upgrade to OpenSSH 3.7.1

0 Kudos
Reply
Zeev Schultz
Honored Contributor

‎09-30-2003 09:14 PM

‎09-30-2003 09:14 PM

Re: another ssh bug - PAM?

Folks,
As it seems to me hp provided includes fix posted on the openssh site. The one called
buffer overflow -

http://www.cert.org/advisories/CA-2003-24.html

Now as to PAM bug, I understood from openssh site that it's about a new pam code introduced in 3.7.

I don't know what portion of PAM code is affected in the OpenSSH version, but I assume (based on previous pam related bugs in the openssh , like this one ie:
http://www.securityfocus.com/bid/5093/discussion/ ) that it will be about those settings in sshd.conf:
ChallengeResponseAuthentication
PasswordAuthentication yes
PAMAuthenticationViaKbdInt

I personally prefer user public key authentication and not to use pam.
So computers don't think yet. At least not chess computers. - Seymour Cray
0 Kudos
Reply
jmb
Regular Advisor

‎10-01-2003 10:43 AM

‎10-01-2003 10:43 AM

Re: another ssh bug - PAM?

** Another New Alert **

This is from Open SSL: "A bug in OpenSSLs SSL/TLS protocol was also identified which causes OpenSSL to parse a client certificate from an SSL/TLS client when it should reject it as a protocol error."

The deluge continues. HP was pretty good about responding to the first one or two from a couple of weeks ago. Any news from HP about the SSL problem? Does it affect the latest Secure Shell release, and if so, when will it be fixed?

Thanks!
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.