[原文]SSH protocol 2 (aka SSH-2) public key authentication in the development snapshot of OpenSSH 2.3.1, available from 2001-01-18 through 2001-02-08, does not perform a challenge-response step to ensure that the client has the proper private key, which allows remote attackers to bypass authentication as other users by supplying a public key from that user's authorized_keys file.
Loss of Confidentiality,
Loss of Integrity,
Loss of Availability
OpenSSH contains a flaw that may allow a malicious user to log in without appropriate authentication. The issue is triggered when the server is configured to use public key authentication and SSHv2. OpenSSH checks that a public key is allowed to connect, but fails to check for the presence of the corresponding private key. It is possible that the flaw may allow anyone who has a legitimate system user's public key to connect without authentication, resulting in a loss of confidentiality, integrity, and/or availability.
Upgrade to version 2.3.2 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by disabling public key authentication.