Notified: May 10, 2002 Updated: May 21, 2002
Not Affected
Cisco is not affected.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: May 09, 2002 Updated: May 21, 2002
Affected
Please see http://www.f-secure.com/support/ssh/ssh2_allowedauthentications_vulnerability.shtml.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: May 10, 2002 Updated: May 14, 2002
Not Affected
Initial verification on a Solaris 8 server with OpenSSH 31p1 indicates that the "AllowedAuthentications" keyword is not used in the OpenSSH server configuration. However, OpenSSH uses the following two keywords for authentication configuration: "PubkeyAuthentication" "PasswordAuthentication" The default value for both keywords is yes, which means the server will allow both password and public key authentication. This is not a vulnerability. But since all keywords including "PasswordAuthentication" in the default OpenSSH sshd_config file are commented out, users who want public key authentication method only may mistakenly just uncomment "PubkeyAuthentication" keyword and assign a yes value to it, not knowing that password authentication is on by default even though that keyword is commented out in the configuration file. Workaround fix: For OpenSSH, if public key authentication is the only method allowed, change the default value from "yes" to "no" for the "PasswordAuthentication" keyword in sshd_config file.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: May 14, 2002 Updated: May 23, 2002
Not Affected
Novell does not ship ISC's DHCPD.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: May 09, 2002 Updated: May 15, 2002
Not Affected
OpenSSH is not vulnerable to this particular problem.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 24, 2002 Updated: May 20, 2002
Affected
Please see http://www.ssh.com/products/ssh/advisories/authentication.cfm.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.