Date: 29 Nov 2001 01:32:13 -0000
From: Tony Chimienti <[email protected]>
To: [email protected]Subject: SafeWord Agent for SSH (secure shell) vulnerability
Mailer: SecurityFocus
This is Secure Computing's response to a security
alert that was posted on www.securityfocus.com on
Nov 23, 2001. The posting was related specifically to
the SafeWord Agent for SSH (secure shell), and
implied there was a security risk directly tied to
SafeWord PremierAccess, which is false. Secure
Computing has since removed the SafeWord Agent
for SSH from the Secure Computing public web site
and is longer available from any source.
Clarification on some misrepresentation in the
original posting:
1) The SafeWord Agent for SSH was not an SSH
server, it in fact was only made up of modified files
that were needed for a software build process. This
build process would then create the necessary binary
files to allow a SSH server to communicate with a
SafeWord authentication server. Unfortunately those
modified files were based on SSH.com's ssh v1.2.27
which is possibly known to cause a vulnerability on
SSH servers. Secure Computing has since removed
these modified files from our web site and regrets
any inconvenience it may have caused our
customers.
2) SafeWord PremierAccess or any other
commercially available product from Secure
Computing has never shipped with the SafeWord
Agent for SSH, and in fact this code is not part of the
currently shipping SafeWord PremierAccess product
nor is the SafeWord SSH agent on any of the
PremierAccess CD's available today, including the
SafeWord Deployment CD, which includes several
different agents. The SafeWord SSH agent was only
made available for download from the SCC web site
for customers who wished to build binary files for use
with SafeWord authentication servers. These agent
files have been removed from our web site and can
no longer be downloaded.
3) SafeWord PremierAccess servers were never the
cause of any security vulnerabilities mentioned in this
alert and SafeWord PremierAccess continues to set
the standard in authentication and access control
functionality.
It is recommended that if a customer is currently
using or wishes to use a SSH server and protect it
with SafeWord PremierAccess, they should use
OpenSSH and use the SafeWord PremierAccess
Agent for PAM. SafeWord PremierAccess operates
with OpenSSH through the Pluggable Authentication
Module (PAM) framework. Secure Computing has a
detailed application note on how to use OpenSSH
and the SafeWord PAM agent for authentication with
SafeWord PremierAccess. Please go to
http://www.securecomputing.com/index.cfm
sKey=827 to access this application note.
Thank you,
Secure Computing
