Slashdot Mirror

← Back to Stories (view on slashdot.org)

The OpenSSH Bug That Wasn't

Posted by timothy on from the or-only-kind-of-is dept.

badger.foo writes: Get your facts straight before reporting, is the main takeaway from Peter Hansteen's latest piece, The OpenSSH Bug That Wasn't. OpenSSH servers that are set up to use PAM for authentication and with a very specific (non-default on OpenBSD and most other places) setup are in fact vulnerable, and fixing the configuration is trivial.

1 of 55 comments (clear)

  1. Spoiler by bobstreo · · Score: 5, Informative

    According to the article, it's a bug in PAM.

    You shouldn't see this behaviour with SSH unless you have PAM authentication turned on. And apparently only in FreeBSD ?

      And as OpenBSD developer Marc Espie says in his message,

            Not surprisingly, as the patch clearly shows, the problem is right smack in the middle of USE_PAM code.

            I wouldn't call that an OpenSSH bug. I would call it a systemic design flaw in PAM. As usual. LOTS of security holes in authentication systems stem from PAM. Why ? Because that stuff is over designed. Difficult to configure. Gives you MORE than you need to hang yourself several times over. It's been that way for as long as I can remember.