[svlug] OpenSSH vulnerability (Where's the beef?)
rsb at ostel.com
Tue Jun 25 16:08:08 PDT 2002
We worked around by adding ACLs to critical firewalls for ports
redirected to ssh behind our NAT. We'll remove them when we're
satisfied it's a bit safer. All I have to say on the issue of trust
is that the openssh developers have not yet violated our trust, and
they have done good work to date, so I find their contention
compelling enough to warrant this limited mod.
Rich Bodo | rsb at ostel.com | 650-964-4678
On Tue, 25 Jun 2002, J. Paul Reed wrote:
> On Tue, 25 Jun 2002, Rich Bodo wrote:
> > The exploit is real.
> I never said it was fake; I don't have enough information (thanks to De
> Raadt) to claim it's either fake *OR* real.
> > I didn't bother to upgrade, but we worked around it.
> How did you do that?
> See, *that* would be useful information that De Raadt should publish...
> don't you think?
> > I may upgrade when the RPMs are out on Friday. Nothing new-fangled about
> > the fix, you really just disable some code with a one-line conf file mod:
> > UsePrivilegeSeperation yes
> So, as I asked earlier, this "privsep" code has been tested on Linux, and
> is known to be better than earlier versions of SSH without it? It's 100%
> secure, and won't lead to an (easier) exploitable compromise?
> Would you bet your business on it?
> > As he says, you go from about 30K lines to 3K lines of code with root
> > access with this fix. The code is entirely open source. Why do you say
> > that the code is not open to peer review? Do you see something wrong
> > with the privsep code?
> I didn't say that; I said "Where's the peer review of this "privsep" code
> on Linux?"
> I'm not qualified to review the privsep code... hence my question about
> peer review on Linux; it's been reviewed on *BSD, from what I've read, but
> I'd like a review by someone who's a Linux kernel/security expert.
> Show me that, and I'll be happy(-er).
> I just can't believe how willing people (and projects, i.e. Debian) are to
> just totally switch to new code without any published peer review of
> privsep on Linux and without asking any tough questions about the *real*
> danger of this supposed (and again, I clarify because I refuse to call it
> 'real' until I have more information) exploit.
> Open source is built on the open exchange of information... why anyone
> finds De Raadt's behavior in this current escapade acceptable, I'll never
> J. Paul Reed preed at sigkill.com || web.sigkill.com/preed
> Nothing satisfies more than a post-coital omelet of your own design.
> -- Will Farrell, Saturday Night Live, 5/18/02
More information about the svlug