[21791] in bugtraq
Re: URGENT SECURITY ADVISORY FOR SSH SECURE SHELL 3.0.0
daemon@ATHENA.MIT.EDU (Brandon S. Allbery KF8NH)
Mon Jul 23 15:03:37 2001
Date: Fri, 20 Jul 2001 23:08:33 -0400
From: "Brandon S. Allbery KF8NH" <allbery@ece.cmu.edu>
To: Dan Kaminsky <dankamin@cisco.com>,
Stephanie Thomas <customer.service@ssh.com>, bugtraq@securityfocus.com
Message-ID: <70920000.995684910@vpn88.ece.cmu.edu>
In-Reply-To: <007b01c1118a$64bb2570$1900010a@na.cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
On Friday, July 20, 2001 19:11:02 -0700, Dan Kaminsky <dankamin@cisco.com>
wrote:
+-----
| The big issue here, of course, is not that sshd incorrectly checks the
| cryptographic hash of an inadequately sized password but that it checks it
| at all. NP, as far as I know, specifically stands for No Password
| (acceptable, *not* needed), and !! I believe has the same meaning for
| Linux(! for "no"). SSHD has traditionally when possible directly tested
+--->8
Is it me, or is this the *same* bug that was found in the 1.2.x code some
time back?
--
brandon s. allbery [os/2][linux][solaris][freebsd] allbery@kf8nh.apk.net
system administrator [JAPH][WAY too many hats] allbery@ece.cmu.edu
electrical and computer engineering KF8NH
carnegie mellon university [linux: proof of the million monkeys theory]
