Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2021-36368 - added option to disable trivial auth methods #258

Closed
wants to merge 4 commits into from

Conversation

manfred-kaiser
Copy link

I have added an option -o DisableTrivialAuth=yes to disable trivial authentications as mentioned in my mails

@manfred-kaiser manfred-kaiser marked this pull request as draft June 21, 2021 08:38
@manfred-kaiser manfred-kaiser marked this pull request as ready for review June 21, 2021 08:47
@manfred-kaiser
Copy link
Author

Would you merge this pull request, because we are planning to create a CVE and I think this should be mitigated before we publish a full disclosure.

@manfred-kaiser manfred-kaiser deleted the branch openssh:master August 18, 2021 13:45
@manfred-kaiser manfred-kaiser deleted the master branch August 18, 2021 13:45
@manfred-kaiser manfred-kaiser restored the master branch August 18, 2021 13:54
@manfred-kaiser
Copy link
Author

commit 9e1882e introduced a change in verbose logging, which can be used to detect trivial success authentication. This is an improvement, but is to complicated and inconvenient to mitigate it.
This is the reason, why I have updated my pull request to the latest master.

@manfred-kaiser manfred-kaiser changed the title added option to disable trivial auth methods CVE-2021-36368 - added option to disable trivial auth methods Aug 19, 2021
@manfred-kaiser
Copy link
Author

AUT-milCERT want's to release information about "trivial success authentication" in the next weeks.

Do you want to merge our patch or are you planning to implement some other mitigation approaches in the next release?

@djmdjm
Copy link
Contributor

djmdjm commented Aug 20, 2021

No, we do not plan to merge this patch.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
2 participants