SafeWord Agent for SSH (secure shell) vulnerability

[Tony Chimienti <tony_chimienti () securecomputing com>]

Mailer: SecurityFocus

This is Secure Computing's response to a security 
alert that was posted on www.securityfocus.com on 
Nov 23, 2001. The posting was related specifically to 
the SafeWord Agent for SSH (secure shell), and 
implied there was a security risk directly tied to 
SafeWord PremierAccess, which is false.  Secure 
Computing has since removed the SafeWord Agent 
for SSH from the Secure Computing public web site 
and is longer available from any source. 

Clarification on some misrepresentation in the 
original posting:

1) The SafeWord Agent for SSH was not an SSH 
server, it in fact was only made up of modified files 
that were needed for a software build process. This 
build process would then create the necessary binary 
files to allow a SSH server to communicate with a 
SafeWord authentication server. Unfortunately those 
modified files were based on SSH.com's ssh v1.2.27 
which is possibly known to cause a vulnerability on 
SSH servers. Secure Computing has since removed 
these modified files from our web site and regrets 
any inconvenience it may have caused our 
customers.
 
2) SafeWord PremierAccess or any other 
commercially available product from Secure 
Computing has never shipped with the SafeWord 
Agent for SSH, and in fact this code is not part of the 
currently shipping SafeWord PremierAccess product 
nor is the SafeWord SSH agent on any of the 
PremierAccess CD's available today, including the 
SafeWord Deployment CD, which includes several 
different agents. The SafeWord SSH agent was only 
made available for download from the SCC web site 
for customers who wished to build binary files for use 
with SafeWord authentication servers. These agent 
files have been removed from our web site and can 
no longer be downloaded. 

3) SafeWord PremierAccess servers were never the 
cause of any security vulnerabilities mentioned in this 
alert and SafeWord PremierAccess continues to set 
the standard in authentication and access control 
functionality. 

It is recommended that if a customer is currently 
using or wishes to use a SSH server and protect it 
with SafeWord PremierAccess, they should use 
OpenSSH and use the SafeWord PremierAccess 
Agent for PAM. SafeWord PremierAccess operates 
with OpenSSH through the Pluggable Authentication 
Module (PAM) framework. Secure Computing has a 
detailed application note on how to use OpenSSH 
and the SafeWord PAM agent for authentication with 
SafeWord PremierAccess. Please go to 
http://www.securecomputing.com/index.cfm 
sKey=827  to access this application note.  

Thank you,

Secure Computing