[TriLUG] Re: OpenSSH Security Advisory (adv.iss)
Jeremy P
jeremyp at pobox.com
Wed Jun 26 15:51:04 EDT 2002
On 26 Jun 2002, Tom 'spot' Callaway wrote:
> > Just to make sure I've got this right, my config file says:
> >
> > #ChallengeResponseAuthentication yes
> >
> > but it doesn't say what default value is...and it's commented out.
> > I don't think I've changed this value...so I assume this is the
> > way it appears in the config at installation (RH 7.2).
> >
> > I think I should change this to:
> >
> > ChallengeResponseAuthentication no
> >
> > Correct?
> > Was the default value for this setting 'yes'?
>
> No, the default value is no. ChallengeResponseAuthentication is only
> used for things like s/key. You'd know if you turned it on.
Actually, ChallengeResponseAuthentication DOES have a default of "yes"
(see man sshd_config, or look at the sources, to verify this). However, my
impression is it doesn't really do anything unless you are using s/key
and/or other esoteric authentication methods. It isn't clear to me
whether the *exploits* will work even if you aren't using s/key etc. But
setting ChallengeResponseAuthentication no is the best course if you
aren't using it; in general it's a good idea to turn off anything you
aren't using.
--Jeremy
More information about the TriLUG
mailing list