Linux Today: Linux News On Internet Time.

More on LinuxToday

Red Hat Linux Advisory: openssh

Jul 29, 2003, 20:59 (0 Talkback[s])

WEBINAR: On-demand Event

Replace Oracle with the NoSQL Engagement Database: Why and how leading companies are making the switch REGISTER >

Red Hat Security Advisory

Synopsis: Updated openssh packages available
Advisory ID: RHSA-2003:222-01
Issue date: 2003-07-29
Updated on: 2003-07-29
Product: Red Hat Linux
Keywords: openssh pam timing information leak
Cross references:  
Obsoletes: RHSA-2002:127
CVE Names: CAN-2003-0190

1. Topic:

Updated OpenSSH packages are now available. These updates close an information leak caused by sshd's interaction with the PAM system.

2. Relevant releases/architectures:

Red Hat Linux 7.1 - i386
Red Hat Linux 7.1 for iSeries (64 bit) - ppc
Red Hat Linux 7.1 for pSeries (64 bit) - ppc
Red Hat Linux 7.2 - i386, ia64
Red Hat Linux 7.3 - i386
Red Hat Linux 8.0 - i386
Red Hat Linux 9 - i386

3. Problem description:

OpenSSH is a suite of network connectivity tools that can be used to establish encrypted connections between systems on a network and can provide interactive login sessions and port forwarding, among other functions.

When configured to allow password-based or challenge-response authentication, sshd (the OpenSSH server) uses PAM (Pluggable Authentication Modules) to verify the user's password. Under certain conditions, OpenSSH versions prior to 3.6.1p1 reject an invalid authentication attempt without first attempting authentication using PAM.

If PAM is configured with its default failure delay, the amount of time sshd takes to reject an invalid authentication request varies widely enough that the timing variations could be used to deduce whether or not an account with a specified name existed on the server. This information could then be used to narrow the focus of an attack against some other system component.

These updates contain backported fixes that cause sshd to always attempt PAM authentication when performing password and challenge-response authentication for clients.

4. Solution:

Before applying this update, make sure all previously released errata relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory only contains the desired RPMs.

Please note that this update is also available via Red Hat Network. Many people find this an easier way to apply updates. To use Red Hat Network, launch the Red Hat Update Agent with the following command:


This will start an interactive process that will result in the appropriate RPMs being upgraded on your system.

5. RPMs required:

Red Hat Linux 7.1:



Red Hat Linux 7.1 for iSeries (64 bit):



Red Hat Linux 7.1 for pSeries (64 bit):



Red Hat Linux 7.2:




Red Hat Linux 7.3:



Red Hat Linux 8.0:



Red Hat Linux 9:



6. Verification:

MD5 sum Package Name

bfbd152a2069230041ff1298b0562061 7.1/en/os/SRPMS/openssh-3.1p1-7.src.rpm
48c37500a4c7984673878edbef7e9cde 7.1/en/os/i386/openssh-3.1p1-7.i386.rpm
3f59bffd703bac24632f4e34e2beed22 7.1/en/os/i386/openssh-askpass-3.1p1-7.i386.rpm
def478c5b3f97af908e3cb4d8306662b 7.1/en/os/i386/openssh-askpass-gnome-3.1p1-7.i386.rpm
e9947146ea766572cbd9457f320a4f06 7.1/en/os/i386/openssh-clients-3.1p1-7.i386.rpm
879cbb50923935cebf20b39578dc8eed 7.1/en/os/i386/openssh-server-3.1p1-7.i386.rpm
bfbd152a2069230041ff1298b0562061 7.1/en/os/iSeries/SRPMS/openssh-3.1p1-7.src.rpm
7c8aa13e79e6c856181852de76c86722 7.1/en/os/iSeries/ppc/openssh-3.1p1-7.ppc.rpm
b1a591c23d345fd96f2d0fab2eb958be 7.1/en/os/iSeries/ppc/openssh-askpass-3.1p1-7.ppc.rpm
ae6d48792fea701e75b114333babe37c 7.1/en/os/iSeries/ppc/openssh-askpass-gnome-3.1p1-7.ppc.rpm
f7ee0ce5cefe22043828863da06ce331 7.1/en/os/iSeries/ppc/openssh-clients-3.1p1-7.ppc.rpm
d9f993c8fa47ec3956f5e1e3c6f176d5 7.1/en/os/iSeries/ppc/openssh-server-3.1p1-7.ppc.rpm
bfbd152a2069230041ff1298b0562061 7.1/en/os/pSeries/SRPMS/openssh-3.1p1-7.src.rpm
7c8aa13e79e6c856181852de76c86722 7.1/en/os/pSeries/ppc/openssh-3.1p1-7.ppc.rpm
b1a591c23d345fd96f2d0fab2eb958be 7.1/en/os/pSeries/ppc/openssh-askpass-3.1p1-7.ppc.rpm
ae6d48792fea701e75b114333babe37c 7.1/en/os/pSeries/ppc/openssh-askpass-gnome-3.1p1-7.ppc.rpm
f7ee0ce5cefe22043828863da06ce331 7.1/en/os/pSeries/ppc/openssh-clients-3.1p1-7.ppc.rpm
d9f993c8fa47ec3956f5e1e3c6f176d5 7.1/en/os/pSeries/ppc/openssh-server-3.1p1-7.ppc.rpm
22f17a835f12a4131a21487d5ee3dec6 7.2/en/os/SRPMS/openssh-3.1p1-8.src.rpm
013694ec0e839f077e7980d9cebfa277 7.2/en/os/i386/openssh-3.1p1-8.i386.rpm
a942a051510a5a0aa34b0774d6eb8ee0 7.2/en/os/i386/openssh-askpass-3.1p1-8.i386.rpm
de35a67fa21ec478aff57ce5c830f84e 7.2/en/os/i386/openssh-askpass-gnome-3.1p1-8.i386.rpm
8c9d37f46f76093eccea80571d687d46 7.2/en/os/i386/openssh-clients-3.1p1-8.i386.rpm
42ec08d8633862da9c988524fecdafbb 7.2/en/os/i386/openssh-server-3.1p1-8.i386.rpm
d9441bbe925832b82766b8140fb4bb77 7.2/en/os/ia64/openssh-3.1p1-8.ia64.rpm
58765b526317e03dcf9371d9b225fa68 7.2/en/os/ia64/openssh-askpass-3.1p1-8.ia64.rpm
46b8de0e5072ff7ee614c7e5dfc536b9 7.2/en/os/ia64/openssh-askpass-gnome-3.1p1-8.ia64.rpm
1e95e8ca735b971bcb1a1824becaa582 7.2/en/os/ia64/openssh-clients-3.1p1-8.ia64.rpm
8ae51f6f0116f60fd29545b4f9560613 7.2/en/os/ia64/openssh-server-3.1p1-8.ia64.rpm
22f17a835f12a4131a21487d5ee3dec6 7.3/en/os/SRPMS/openssh-3.1p1-8.src.rpm
013694ec0e839f077e7980d9cebfa277 7.3/en/os/i386/openssh-3.1p1-8.i386.rpm
a942a051510a5a0aa34b0774d6eb8ee0 7.3/en/os/i386/openssh-askpass-3.1p1-8.i386.rpm
de35a67fa21ec478aff57ce5c830f84e 7.3/en/os/i386/openssh-askpass-gnome-3.1p1-8.i386.rpm
8c9d37f46f76093eccea80571d687d46 7.3/en/os/i386/openssh-clients-3.1p1-8.i386.rpm
42ec08d8633862da9c988524fecdafbb 7.3/en/os/i386/openssh-server-3.1p1-8.i386.rpm
81ed2140e12f15e4518fc2fe3aef10eb 8.0/en/os/SRPMS/openssh-3.4p1-4.src.rpm
d625e5b2eca982b5b92ac0862eae1b73 8.0/en/os/i386/openssh-3.4p1-4.i386.rpm
34e91b60c3b5296c8e5185d5cf832013 8.0/en/os/i386/openssh-askpass-3.4p1-4.i386.rpm
536394cfe9c2b3068580269b346f6c1f 8.0/en/os/i386/openssh-askpass-gnome-3.4p1-4.i386.rpm
ce583ee467532c9af9b9482cc90cd375 8.0/en/os/i386/openssh-clients-3.4p1-4.i386.rpm
a81ee000ffc59c3f210fb4f08a02f2a7 8.0/en/os/i386/openssh-server-3.4p1-4.i386.rpm
321f50363605e1976cc19b7ceacf6d26 9/en/os/SRPMS/openssh-3.5p1-6.9.src.rpm
71613a13c1e40faa16f9a01fabf0e8b3 9/en/os/i386/openssh-3.5p1-6.9.i386.rpm
7b70f6b671b87385646d382115974724 9/en/os/i386/openssh-askpass-3.5p1-6.9.i386.rpm
9a8d60a683b055feba9855db74467fff 9/en/os/i386/openssh-askpass-gnome-3.5p1-6.9.i386.rpm
5c18b658c8bed7c434d8d9f142a95e7f 9/en/os/i386/openssh-clients-3.5p1-6.9.i386.rpm
3971445a5ee73f5c8b7fdc022b0432e8 9/en/os/i386/openssh-server-3.5p1-6.9.i386.rpm

These packages are GPG signed by Red Hat for security. Our key is available from

You can verify each package with the following command:

rpm --checksig -v <filename>

If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command:

md5sum <filename>

7. References:

8. Contact:

The Red Hat security contact is <>. More contact details at

Copyright 2003 Red Hat, Inc.