[2262] in Release_7.7_team
sshd probably not affected by Kerberos vulnerability
daemon@ATHENA.MIT.EDU (Greg Hudson)
Tue May 16 15:38:05 2000
Date: Tue, 16 May 2000 15:37:52 -0400
Message-Id: <200005161937.PAA01579@egyptian-gods.mit.edu>
From: Greg Hudson <ghudson@MIT.EDU>
To: release-announce@MIT.EDU
Hi. I'd like to correct an error I made in my announcement regarding
the impact of the Kerberos vulnerability. The remotely exploitable
vulnerabilities are in kshd and the krb4 krb_rd_req() library
function; there is no known remote exploit against any functions in
the krb5 library. This means that sshd with krb5 support is not
vulnerable, because it never calls the krb4 krb_rd_req() function.
So, if you a machine running sshd with krb5 support as well as various
Kerberized daemons, and for whatever reason you cannot get fixes, you
can disable the Kerberos daemons (klogind, kshd, telnetd) and leave
sshd enabled.
Sorry to generate so much traffic on this issue.
