OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq Archives: Re: S/Key & OPIE Database Vulnerability

Re: S/Key & OPIE Database Vulnerability

Subject: Re: S/Key & OPIE Database Vulnerability
From: David Maxwell (davidFUNDY.CA)
Date: Sun Jan 23 2000 - 20:13:08 CST

On Fri, Jan 21, 2000 at 07:15:20PM -0600, harikiri wrote:
> w00w00 Security Advisory - http://www.w00w00.org
>
> Title: S/Key & OPIE Database Vulnerability
> Platforms: BSD/OS 4.0.1 (SKEY).
> FreeBSD 3.4-RELEASE (OPIE).
> Linux Distributions (with skey-2.2-1 RPM).
> Any Unix running skey-2.2. (possibly earlier versions too)
> Discovered: 14th January, 2000

NetBSD began installing a mode 600 /etc/skeykeys file as of Jan 6, 1999.
This issue would not affect the two most recent formal releases, 1.4,
and 1.4.1 - as they include the more secure default.

Users of skey on earlier installs should evaluate appropriate permissions
for their /etc/skeykeys file based on local requirements (e.g. non-setuid
programs performing authentication) - as indicated in the w00w00 advisory.

I'm not a member of the NetBSD security team, I'm just speaking as a user... 

--
David Maxwell, davidvex.net|davidmaxwell.net -->
Any sufficiently advanced Common Sense will seem like magic...
					      - me

This archive was generated by hypermail 2b27 : Mon Jan 24 2000 - 18:43:24 CST