VanDyke Software Information for VU#973635
Some SSH servers on Microsoft Windows set insecure permissions for the host identification key file
- Vendor Information Help Date Notified: 25 Jul 2005
- Statement Date:
- Date Updated: 12 Aug 2005
In VShell versions 2.3.5 and earlier for Windows, when a host key is automatically created by VShell, the host key file inherits the permissions of its parent directory, potentially allowing access to authenticated users.
Affected Product Versions:
- VShell for Windows, version 2.3.5 and earlier.
VShell version 2.3.6 will ensure that when a host key is automatically generated, the permissions on the host key file will be set such that only SYSTEM and members of the Administrators group will have access rights.
VShell users with existing host key files can correct the permissions by modifying the Access Control List for the private host key file such that only SYSTEM and Administrators have access.
By default, the private host key file is created as:
Note: If you have configured VShell to run as a user other than SYSTEM, you will need to allow this user access to the host key file.
The vendor has not provided us with any further information regarding this vulnerability.
Because the hostkey may have been comprised, we also suggest that you create a new hostkey for the system.
If you have feedback, comments, or additional information about this vulnerability, please send us email.