Bugtraq mailing list archives

Re: SSH 1.2.25/HP-UX 10.20 Vulnerability

From: jneves () RNL IST UTL PT (Joao Miguel Neves)
Date: Thu, 10 Sep 1998 10:50:30 +0100

However, if user connects via SSH using newly created username, no password
authentication is performed and user automatically drops into shell.

This can be especially dangerous on systems where users are added on a
daily basis (universities for example) and other users aware of this bug
could gain access to newly created accounts (remote users could gain
information about new users using finger command, for example).

FIXES:

SSH 1.2.26 is available for over a month now (this problem has been fixed).
Also, version 2.0 of SSH is released (completely rewritten).

Is this fixed for all situations? For instance the Digital Unix C2 patch
only worked when the authentication was with the password if you used any
of the other authentication methods (RSA key, for instance) the limits
aren't implemented. The person who did the patch already corrected it, but
last week he had not sent this to be put on the major release.

                                                Joao Miguel Neves

Current thread:

Re: NT4-SP3 Sequence Prediction nate () ROOT ORG (Sep 09)
- Re: NT4-SP3 Sequence Prediction Mark Gansle (Sep 09)
- SSH 1.2.25/HP-UX 10.20 Vulnerability Security Research Team (Sep 10)
  - Re: SSH 1.2.25/HP-UX 10.20 Vulnerability Joao Miguel Neves (Sep 10)
- <Possible follow-ups>
- Re: NT4-SP3 Sequence Prediction Steve Bellovin (Sep 09)