SSH Secure Shell Server AllowedAuthentications配置存在漏洞发布时间:2002-05-28 更新时间:2002-05-28 严重程度:中 威胁程度:其它 错误类型:设计错误 利用方式:服务器模式 BUGTRAQ ID:4810 受影响系统 SSH Communications Security SSH2 3.0详细描述 Secure Shell是商业SSH实现。 在某些环境下,存在远程用户绕过服务器配置中的"AllowedAuthentications"设定,如配置中"AllowedAuthentications"后不包含"passwd"意味这不能使用密码方式认证,但存在漏洞,可以绕过此规则,导致攻击者不使用一些强壮的认证方式而可能猜测弱密码访问系统。 测试代码 见描述 解决方案 在sshd2_config使用"RequiredAuthentications"代替"AllowedAuthentications": RequiredAuthentications hostbased, publickey 下载升级程序: SSH Communications Security SSH2 3.0: SSH Communications Security Upgrade ssh 3.1.2 for Win32 Contact SSH Communication Security for details on obtaining this fix. SSH Communications Security Upgrade ssh-3.1.2.tar.gz ftp://ftp.ssh.com/pub/ssh/ssh-3.1.2.tar.gz SSH Communications Security SSH2 3.0.1: SSH Communications Security Upgrade ssh 3.1.2 for Win32 Contact SSH Communication Security for details on obtaining this fix. SSH Communications Security Upgrade ssh-3.1.2.tar.gz ftp://ftp.ssh.com/pub/ssh/ssh-3.1.2.tar.gz SSH Communications Security SSH2 for Unix 3.1: SSH Communications Security Upgrade ssh-3.1.2.tar.gz ftp://ftp.ssh.com/pub/ssh/ssh-3.1.2.tar.gz SSH Communications Security SSH2 for Win32 3.1: SSH Communications Security Upgrade ssh 3.1.2 for Win32 Contact SSH Communication Security for details on obtaining this fix. SSH Communications Security SSH2 for Win32 3.1.1: SSH Communications Security Upgrade ssh 3.1.2 for Win32 Contact SSH Communication Security for details on obtaining this fix. SSH Communications Security SSH2 for Unix 3.1.1: SSH Communications Security Upgrade ssh-3.1.2.tar.gz ftp://ftp.ssh.com/pub/ssh/ssh-3.1.2.tar.gz 相关信息 SSH Communications Security. 参考:http://online.securityfocus.com/archive/1/273840 相关主页:http://www.ssh.com/products/ssh/advisories/authentication.cfm |
