A remote vulnerability in OpenSSH, a widely-used open source SSH server, has been announced on numerous security mailing lists. Specifics or proof-of-concept exploits have not been provided yet, as the discoverers are giving vendors a chance to come up with patches by the end of this week. What we know is this: all versions of the software, through the latest (OpenSSH 3.3p), are vulnerable unless privilege separation is activated. To enable this feature, add “UsePrivilegeSeparation yes” (without quotes) to your /etc/ssh/sshd_config file. We’ll have more on the vulnerability as details arise.