The open-source project for secure communications technology, known as OpenSSH, plugged a second security hole on Tuesday that affects only users who have turned off a critical security feature. The flaw appears in an open-source implementation of the Pluggable Authentication Modules (PAMs), a technology adopted by Sun Solaris, Linux and BSD systems to let system administrators easily change the way users log into computers. The default login procedure could be changed to a smart-card-based procedure using a PAM, for example. The project started using open-source versions of the new PAM functions in the latest release of OpenSSH. However, as with a flaw found last week, the current vulnerability affects only versions of OpenSSH that have a security technology known as privilege separation turned off.
The link for this article located at ZDNet is no longer available.
