OpenBSD Journal

OpenSSH 1.2.3 is out

Contributed by louis on from the the-march-of-progress dept.

Louis Bertrand writes OpenSSH 1.2.3 is out. Nothing major, just a bunch of minor bugfixes, none related to security.

(Comments are closed)


Comments
  1. By itamar () itamarst@yahoo.com on mailto:itamarst@yahoo.com

    When you denied root ssh access, you still get a password prompt - and you get a different denial response depending on if the password is correct or not.

    In other words, you can use ssh to discover root's password (using brute force methods, of course) even if sshd is set to deny root:

    [itamar@Mercedes itamar]$ ssh root@1.1.1.1
    root@1.1.1.1's password:
    Permission denied, please try again.
    root@1.1.1.1's password:
    Permission denied, please try again.
    root@1.1.1.1's password:
    Permission denied.

    and now with the correct password:
    [itamar@Mercedes itamar]$ ssh root@1.1.1.1
    root@1.1.1.1's password:
    Received disconnect: ROOT LOGIN REFUSED FROM 2.2.2.2

    No idea if it was fixed in 1.2.3 / 1.2.2p1, but I was mailed a patch.

  2. By feck () wh0rde@home.com on http://reet.stupidphat.com

    http://www.openssh.org/org-vs-com/

    this explains everything, feck! this has already been posted? feck again.

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]