Mailer: SecurityFocus This is Secure Computing's response to a security alert that was posted on www.securityfocus.com on Nov 23, 2001. The posting was related specifically to the SafeWord Agent for SSH (secure shell), and implied there was a security risk directly tied to SafeWord PremierAccess, which is false. Secure Computing has since removed the SafeWord Agent for SSH from the Secure Computing public web site and is longer available from any source. Clarification on some misrepresentation in the original posting: 1) The SafeWord Agent for SSH was not an SSH server, it in fact was only made up of modified files that were needed for a software build process. This build process would then create the necessary binary files to allow a SSH server to communicate with a SafeWord authentication server. Unfortunately those modified files were based on SSH.com's ssh v1.2.27 which is possibly known to cause a vulnerability on SSH servers. Secure Computing has since removed these modified files from our web site and regrets any inconvenience it may have caused our customers. 2) SafeWord PremierAccess or any other commercially available product from Secure Computing has never shipped with the SafeWord Agent for SSH, and in fact this code is not part of the currently shipping SafeWord PremierAccess product nor is the SafeWord SSH agent on any of the PremierAccess CD's available today, including the SafeWord Deployment CD, which includes several different agents. The SafeWord SSH agent was only made available for download from the SCC web site for customers who wished to build binary files for use with SafeWord authentication servers. These agent files have been removed from our web site and can no longer be downloaded. 3) SafeWord PremierAccess servers were never the cause of any security vulnerabilities mentioned in this alert and SafeWord PremierAccess continues to set the standard in authentication and access control functionality. It is recommended that if a customer is currently using or wishes to use a SSH server and protect it with SafeWord PremierAccess, they should use OpenSSH and use the SafeWord PremierAccess Agent for PAM. SafeWord PremierAccess operates with OpenSSH through the Pluggable Authentication Module (PAM) framework. Secure Computing has a detailed application note on how to use OpenSSH and the SafeWord PAM agent for authentication with SafeWord PremierAccess. Please go to http://www.securecomputing.com/index.cfm sKey=827 to access this application note. Thank you, Secure Computing
