[svlug] OpenSSH vulnerability (Where's the beef?)

Rich Bodo rsb at ostel.com
Tue Jun 25 16:08:08 PDT 2002

Previous message: [svlug] OpenSSH vulnerability (Where's the beef?)
Next message: [svlug] Re: OpenSSH vulnerability (Where's the beef?)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

We worked around by adding ACLs to critical firewalls for ports
redirected to ssh behind our NAT.  We'll remove them when we're
satisfied it's a bit safer.  All I have to say on the issue of trust
is that the openssh developers have not yet violated our trust, and
they have done good work to date, so I find their contention
compelling enough to warrant this limited mod.

-Rich

Rich Bodo | rsb at ostel.com | 650-964-4678

On Tue, 25 Jun 2002, J. Paul Reed wrote:

> On Tue, 25 Jun 2002, Rich Bodo wrote:
>
> > The exploit is real.
>
> I never said it was fake; I don't have enough information (thanks to De
> Raadt) to claim it's either fake *OR* real.
>
> > I didn't bother to upgrade, but we worked around it.
>
> How did you do that?
>
> See, *that* would be useful information that De Raadt should publish...
> don't you think?
>
> > I may upgrade when the RPMs are out on Friday.  Nothing new-fangled about
> > the fix, you really just disable some code with a one-line conf file mod:
> >
> > UsePrivilegeSeperation yes
>
> So, as I asked earlier, this "privsep" code has been tested on Linux, and
> is known to be better than earlier versions of SSH without it? It's 100%
> secure, and won't lead to an (easier) exploitable compromise?
>
> Would you bet your business on it?
>
> > As he says, you go from about 30K lines to 3K lines of code with root
> > access with this fix.  The code is entirely open source.  Why do you say
> > that the code is not open to peer review?  Do you see something wrong
> > with the privsep code?
>
> I didn't say that; I said "Where's the peer review of this "privsep" code
> on Linux?"
>
> I'm not qualified to review the privsep code... hence my question about
> peer review on Linux; it's been reviewed on *BSD, from what I've read, but
> I'd like a review by someone who's a Linux kernel/security expert.
>
> Show me that, and I'll be happy(-er).
>
> I just can't believe how willing people (and projects, i.e. Debian) are to
> just totally switch to new code without any published peer review of
> privsep on Linux and without asking any tough questions about the *real*
> danger of this supposed (and again, I clarify because I refuse to call it
> 'real' until I have more information) exploit.
>
> Open source is built on the open exchange of information... why anyone
> finds De Raadt's behavior in this current escapade acceptable, I'll never
> know.
>
> Later,
> Paul
>     --------------------------------------------------------------------
>     J. Paul Reed              preed at sigkill.com || web.sigkill.com/preed
>     Nothing satisfies more than a post-coital omelet of your own design.
>                            -- Will Farrell, Saturday Night Live, 5/18/02
>
>

Previous message: [svlug] OpenSSH vulnerability (Where's the beef?)
Next message: [svlug] Re: OpenSSH vulnerability (Where's the beef?)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the svlug mailing list