[olug] Theo can bite me. [or "OpenSSH Vulnerability"]

Matthew G. Marsh mgm at midwestlinux.com
Thu Jun 27 13:20:47 UTC 2002 

On Wed, 26 Jun 2002, Christopher Cashell wrote:

> I will admit from the start, that Theo de Raadt annoys me. I've seen and
> participated in e-mail discussions with him before, and I've nearly
> never seen a pleasant discussion where he's involved. I don't like him.

I will agree.

> However, the whole thing with the recent OpenSSH security
> vulnerability[1] really annoys me. His poor handling of the "exploit"
> has cost a lot of people a great deal of time, effort, and hard work,
> and for many of us, unnecessarily so.
>
> Here are the basic facts, as I understand them:
>
>   o  All versions of OpenSSH < 3.4 are vulnerable to exploit. (Rumor has
>      it that versions prior to 2.3 are not vulnerable, but I've not been
>      able to positively verify this.)

Hmmmm - I am very interested in this fact (given that I _may_ be in this
position... ;-} )

>   o  Theo de Raadt has been telling everyone that they must upgrade to
>      OpenSSH 3.3 immediately, while admitting that this does not fix
>      the security hole (it does reduce the impact it has, though).
>
>   o  Theo (falsely) claimed that there was no patch or fix available
>      for this security exploit, implying that it required a source code
>      change, wouldn't be available until a new release of OpenSSH was
>      released.
>
>   o  Thousands of people were left with very little information, and
>      were forced to spend the time and effort to protect their systems,
>      upgrade OpenSSH, then test and verify it. Additionally, OpenSSH
>      3.3 has known bugs on many platforms (compression doesn't work on
>      all operating systems, including Linux 2.2.x kernels, PAM support
>      isn't complete, and breaks on many systems, etc).
>
>   o  The claim that all systems making use of OpenSSH < 3.4 are
>      vulnerable is untrue.
>
>   o  The majority of systems out there using OpenSSH are in fact not
>      vulnerable by the default setup. (Although, OpenBSD is.)
>
>   o  Your OpenSSH installation is only vulnerable to this security
>      problem if you have RSA based rhosts authentication turned on, AND
>      you have S/KEY authentication turned on. Both of these options
>      must be compiled in and enabled (most default setups leave both of
>      these disabled, even if compiled in)

Ah- hah!! May I ask as to the veracity of this information? Corroboration?
If this is true then I won't bother. I pretty much only use (and ship
PakSecured this way by default) "Keys ONLY" and SSHv1 with full libwrap
support. And the hosts.alow is created on install with only the local
subnet allowed and hosts.deny has ALL: ALL. Much safer that way although
it is a wee pain for clik-n-drool compatibility...

>   o  You can ensure that your systems are safe and secure from this bug
>      simply by editing the sshd_config (in /etc/ or /etc/ssh/), and
>      adding the directive: ChallengeResponseAuthentication no, or if
>      you already have that directive listed, change it to no. That's
>      correct, no additional patching or upgrades are needed.

Heh - cool. Basically if this is the only problem then 1.9.9 is not
vulnerable. Don't compile s/key support and disable rhosts completely...

> As far as I can tell, the only real reason that Theo didn't release this
> fix sooner, was so that he could ram his Privilege Separation feature in
> OpenSSH >= 3.3 down our throats. While I think this is a good feature in
> the long run, I seriously dislike running a program, especially one like
> ssh, that was released less than a week ago, on a production server.
> Especially when there are known bugs with it. I doubt all of these bugs
> have been fixed in OpenSSH 3.4.

Yeah - he has ben getting worse lately - probably due to the same envy
that RMS seems to display so well... ;-}

> I hope I haven't annoyed everyone too much with this little rant, but a
> someone who spent a considerable amount of time upgrading half a dozen
> machines in the past two days, only to find out that none of them were
> ever even vulnerable to this exploit, I'm really pissed off.  And even
> though this is a rant, I wanted to make sure everyone knew what was
> going on.

Nyet - no annoyance here - just welcome information. Thanks!

> [1] http://online.securityfocus.com/archive/1/278818/2002-06-23/2002-06-29/0
>
> --
> Christopher

#include <confidential.notice>

/* If you read this and are not supposed to - shame on you */

--------------------------------------------------
Matthew G. Marsh,  President
Paktronix Systems LLC
1506 North 59th Street
Omaha  NE  68104
Phone: (402) 932-7250
Email: mgm at midwestlinux.com
WWW:  http://www.midwestlinux.com
--------------------------------------------------


-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_

For help contact olug-help at olug.org - run by ezmlm
to unsubscribe, send mail to olug-unsubscribe at olug.org
or `mail olug-unsubscribe at olug.org < /dev/null`
(c)1998-2002 OLUG http://www.olug.org

-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_

More information about the OLUG mailing list