> > >A quick glance at the source code suggests that SSH 2.3.0 and > >2.4.0 have the same problem. Is this true? > > I suppose we are talking about this section of ssh 2.4.0's > sshunixuser.c: > > 940 > 941 /* Authentication is accepted if the encrypted passwords are identical. */ > 942 #ifdef HAVE_HPUX_TCB_AUTH > 943 return strncmp(encrypted_password, correct_passwd, > 944 strlen(correct_passwd)) == 0; > 945 #else /* HAVE_HPUX_TCB_AUTH */ > 946 return strcmp(encrypted_password, correct_passwd) == 0; > 947 #endif /* HAVE_HPUX_TCB_AUTH */ > > If I read this correctly, it's certainly not a problem unless ssh is > compiled with HAVE_HPUX_TCB_AUTH defined. In that case, it may or the linux compile at least doesn't #define HAVE_HPUX_TCB_AUTH so the sshd 2.4.0 is not vulnerable on linux. Luci
This archive was generated by hypermail 2b30 : Mon Jul 23 2001 - 09:36:47 PDT