OpenSSH 3.4 is out; alternative solution?

OpenSSH 3.4 is out. It addresses the security vulnerability previously noted here. The page also states: "The 3.4 release contain many other fixes done over a week long audit started when this issue came to light. We believe that some of those fixes are likely to be important security fixes. Therefore, we urge an upgrade to 3.4."

OpenSSH generally uses full encryption and is purported to be resistant to network monitoring, eavesdropping, and connection hijacking attacks. Mac OS X is only vulnerable to the recently discovered hole if remote terminal access is allowed, as described in this Knowledge Base article.

Doing this upgrade on a Mac requires some knowledge of how to perform this Unix software upgrade. It is not as simple as dragging a file to your drive. With that in mind, Julian Koh adds: "For those of you who aren't too interested in compiling a new version of OpenSSH in order to protect yourselves against the vulnerability announced this week, you can protect yourself until Apple's next security update with the following:

1. Edit /etc/sshd_config as root (using sudo is fine)
2. Remove the # comment mark at the beginning of the line
3. #ChallengeResponseAuthentication no
4. Save the file, and then restart sshd (open Sharing section of System Prefs, uncheck box for Allow Remote Login, then check the box again). All should be well.

The vulnerability is only in the Challenge Response authentication mechanisms used in OpenSSH, so unless you're using SKEY authentication, this will have no impact on you. This is based on the ISS advisory."

Note: We have not personally confirmed Julian's solution.