RE: [ANNOUNCEMENT]: patched openSSH-1.2.2 [was Re: No this has a nasty bite]

["Prentis Brooks" <prentis at aol dot net>]

Thanks Corinna,
	I will not be in the office until Tuesday (Memorial Day holiday here in the
US).  At that time I will apply your updated binaries and continue from
there.  Also, I quickly glanced through the diff file but did not see how
you corrected this... or at least you corrected it in a way completely
different from what I was looking to do.  Would you mind telling me how you
solved the problem of unauthorized access to a another account?
(specifically, being able to login to RSA enabled SSHD eventhough your RSA
key is not part of that SSHD's user's authorized_key file.)

-----Original Message-----
From: corinna@snoopy.vinschen.de [mailto:corinna@snoopy.vinschen.de]On
Behalf Of Corinna Vinschen
Sent: Saturday, May 27, 2000 5:35 PM
To: Prentis Brooks
Cc: Cygwin
Subject: [ANNOUNCEMENT]: patched openSSH-1.2.2 [was Re: No this has a
nasty bite]


Prentis Brooks wrote:
> You have RSA Authentication enabled and running as user foo on port 22.
You
> have another Daemon running SSH with password authentication on port 26.
If
> user bar sets up RSA keys in his/her home directory and then connects to
> port 22, it will authenticate him/her via the keys in bar's home directory
> and then promptly drop them to the shell as foo... this is bad.

Should be solved in my new version. You will find it in

ftp://ftp.franken.de/pub/win32/develop/gnuwin32/cygwin/porters/Vinschen_Cori
nna/V1.1.1

files

	openssh-1.2.2-2.README
	openssh-1.2.2-2.tar.gz
	openssh-1.2.2-2.diff


Have fun,
Corinna

--
Corinna Vinschen
Cygwin Developer
Cygnus Solutions, a Red Hat company


--
Want to unsubscribe from this list?
Send a message to cygwin-unsubscribe@sourceware.cygnus.com