Cisco Systems Inc. Not Affected

Notified:  May 10, 2002 Updated: May 21, 2002

Status

Not Affected

Vendor Statement

Cisco is not affected.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

F-Secure Affected

Notified:  May 09, 2002 Updated: May 21, 2002

Status

Affected

Vendor Statement

Please see http://www.f-secure.com/support/ssh/ssh2_allowedauthentications_vulnerability.shtml.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Nortel Networks Not Affected

Notified:  May 10, 2002 Updated: May 14, 2002

Status

Not Affected

Vendor Statement

Initial verification on a Solaris 8 server with OpenSSH 31p1 indicates that the "AllowedAuthentications" keyword is not used in the OpenSSH server configuration. However, OpenSSH uses the following two keywords for authentication configuration: "PubkeyAuthentication" "PasswordAuthentication" The default value for both keywords is yes, which means the server will allow both password and public key authentication. This is not a vulnerability. But since all keywords including "PasswordAuthentication" in the default OpenSSH sshd_config file are commented out, users who want public key authentication method only may mistakenly just uncomment "PubkeyAuthentication" keyword and assign a yes value to it, not knowing that password authentication is on by default even though that keyword is commented out in the configuration file. Workaround fix: For OpenSSH, if public key authentication is the only method allowed, change the default value from "yes" to "no" for the "PasswordAuthentication" keyword in sshd_config file.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Novell Not Affected

Notified:  May 14, 2002 Updated: May 23, 2002

Status

Not Affected

Vendor Statement

Novell does not ship ISC's DHCPD.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

OpenSSH Not Affected

Notified:  May 09, 2002 Updated: May 15, 2002

Status

Not Affected

Vendor Statement

OpenSSH is not vulnerable to this particular problem.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

SSH Communications Security Affected

Notified:  April 24, 2002 Updated: May 20, 2002

Status

Affected

Vendor Statement

Please see http://www.ssh.com/products/ssh/advisories/authentication.cfm.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.