Home | FAQ | Contact | Privacy Policy
US-CERT
Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information
 

 View Notes By
Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric

 Other Documents
Technical Alerts

Technical Bulletins

Alerts

Security Tips

Nortel Networks Information for VU#341187

Date Notified:2002-05-10
Date Updated:
Status Summary:Not Vulnerable

Vendor Statement

Initial verification on a Solaris 8 server with OpenSSH 31p1
indicates that the "AllowedAuthentications" keyword is not used in
the OpenSSH server configuration. However, OpenSSH uses the following
two keywords for authentication configuration:

"PubkeyAuthentication"
"PasswordAuthentication"

The default value for both keywords is yes, which means the server
will allow both password and public key authentication. This is not
a vulnerability. But since all keywords including
"PasswordAuthentication" in the default OpenSSH sshd_config file are
commented out, users who want public key authentication method only
may mistakenly just uncomment "PubkeyAuthentication" keyword and
assign a yes value to it, not knowing that password authentication is
on by default even though that keyword is commented out in the
configuration file.

Workaround fix: For OpenSSH, if public key authentication is the only
method allowed, change the default value from "yes" to "no" for the
"PasswordAuthentication" keyword in sshd_config file.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

Produced 2008 by US-CERT, a government organization
Disclaimers and copyright information