Bugtraq mailing list archives
Re: SSH 1.2.25/HP-UX 10.20 Vulnerability
From: jneves () RNL IST UTL PT (Joao Miguel Neves)
Date: Thu, 10 Sep 1998 10:50:30 +0100
However, if user connects via SSH using newly created username, no password authentication is performed and user automatically drops into shell. This can be especially dangerous on systems where users are added on a daily basis (universities for example) and other users aware of this bug could gain access to newly created accounts (remote users could gain information about new users using finger command, for example). FIXES: SSH 1.2.26 is available for over a month now (this problem has been fixed). Also, version 2.0 of SSH is released (completely rewritten).
Is this fixed for all situations? For instance the Digital Unix C2 patch only worked when the authentication was with the password if you used any of the other authentication methods (RSA key, for instance) the limits aren't implemented. The person who did the patch already corrected it, but last week he had not sent this to be put on the major release. Joao Miguel Neves
Current thread:
- Re: NT4-SP3 Sequence Prediction nate () ROOT ORG (Sep 09)
- Re: NT4-SP3 Sequence Prediction Mark Gansle (Sep 09)
- SSH 1.2.25/HP-UX 10.20 Vulnerability Security Research Team (Sep 10)
- Re: SSH 1.2.25/HP-UX 10.20 Vulnerability Joao Miguel Neves (Sep 10)
- <Possible follow-ups>
- Re: NT4-SP3 Sequence Prediction Steve Bellovin (Sep 09)