[olug] Theo can bite me. [or "OpenSSH Vulnerability"]

Matthew G. Marsh mgm at midwestlinux.com
Fri Jun 28 12:29:48 UTC 2002 

On Thu, 27 Jun 2002, Brian Wiese wrote:

> On Wed, 26 Jun 2002 21:42:05 -0500
> Phil Brutsche <phil at brutsche.us> wrote:
>
> |Christopher Cashell wrote:
> |> I will admit from the start, that Theo de Raadt annoys me. I've seen
> and
> |> participated in e-mail discussions with him before, and I've nearly
> |> never seen a pleasant discussion where he's involved. I don't like him.
> |
> |For some people (like me!) he's THE reason why they don't even THINK
> |about using OpenBSD... just so that they don't have to deal with his
> |paranoia.
> |
>
> For some people (like me!) he's THE reason why they don't even THINK about
> using ANYTHING OTHER THAN OpenBSD... just cuz it's usually so darn secure.
>  I like paranoia sometimes. =)

Not going to touch this other than to note that understanding is usually
more powerful than paranoia. And actually I disliked BSD back in '82 due
to the ridiculous start up scripts... But that is another story for when
we get a real religious war flaming... ;-}

> |> However, the whole thing with the recent OpenSSH security
> |> vulnerability[1] really annoys me. His poor handling of the "exploit"
> |> has cost a lot of people a great deal of time, effort, and hard work,
> |> and for many of us, unnecessarily so.
> |>
> |> Here are the basic facts, as I understand them:
> |>
> |>   o  All versions of OpenSSH < 3.4 are vulnerable to exploit. (Rumor
> has
> |>      it that versions prior to 2.3 are not vulnerable, but I've not
> been
> |>      able to positively verify this.)
> |
> | From what I've read and can tell, that's partially true: the bugs are
> |only in code paths concerning SSH protocol v2; OpenSSH v1 -> v1.2.3
> |aren't affected in that case.
>
> Uhm... from what I remember, any SSH protocol less than v2 is INsecure...
> kinda like Telnet.

False. SSH v1 is very secure but was/is not "RFC" and additionally the
original implementation had a severe license change in 1.2.13 (which BTW
the BSD folks used as thier fork point for OpenSSH) which rendered it
essentially unusable outside of true academic circles. This point of
contention on the license ended up being the start of the "SSHv1 is
insecure" rumours. Fact is that SSHv1 is very well used and comprehensive
when used properly. Personally I never liked (having read the RFCs) v2 but
I do see some good things in "v3". I still use only v1 with appropriate
restrictions. Be more than happy sometime to relate all that - hmmm maybe
I will try to write up how I use it - please feel free to bug me about it.

> |
> |The buggy code was probably introduced in v2.3.
> |
> |>   o  Theo de Raadt has been telling everyone that they must upgrade to
> |>      OpenSSH 3.3 immediately, while admitting that this does not fix
> |>      the security hole (it does reduce the impact it has, though).
> |
> |What he said is only partially true; he recommended v3.3 because of the
> |priviledge separation code (the buggy code would run in a chroot as an
> |unprivileged UID), which was first introduced in v3.2.
> |
> |The big difference is that v3.3's priviledge separation feature is on by
> |default and is more mature code.
>
> I'm down with that.
>
> |
> |>   o  Theo (falsely) claimed that there was no patch or fix available
> |>      for this security exploit, implying that it required a source code
> |>      change, wouldn't be available until a new release of OpenSSH was
> |>      released.
> |
> |1) 99% of the time correctly fixing a security bug involves a source
> |code change
> |
> |2) He didn't even bother to tell people how to *work* *around* the
> |problem (ie "Disable option XYZ in sshd_config until we can produce a
> fix")
> |
> |[...]
>
> yeah, "Disable option XYZ" woulda been nice... but more mature code? +++
> Perhaps disabling the options is only a 'temporary' fix and should not be
> relied upon that "ok, disabled XYZ.. I'm secure now. = forget about it"?

Yeah - The core point is that only the BSD(s) were vulnerable and if you
compiled your own OpenSSH without the SecureID and Kerberos you were fine.
Most Linux vendors however tend to follow OpenBSD WRT the compilation
options. I view this as a failure to understand the uses of the software.
I mean - when is the last time you saw a copy of RH or MDK come with a
SecreID card reader...  Not that that would not be way cool... ;-}

> |> I hope I haven't annoyed everyone too much with this little rant, but a
> |> someone who spent a considerable amount of time upgrading half a dozen
> |> machines in the past two days, only to find out that none of them were
> |> ever even vulnerable to this exploit, I'm really pissed off.  And even
> |> though this is a rant, I wanted to make sure everyone knew what was
> |> going on.
>
> nah man, appreciate all the info. I didn't know about 1/2 of that stuff!
>
> |And so that people could know what a frelling paranoid ass (pardon the
> |french) Theo is!
>
> "It's not paranoia, if they're really after you." - Enemy of the State
>
> There are some operations that RELY on security, they better be paranoid
> if they are constantly under attack.  We need secure OSs and paranoid code
> auditing hackers like the OpenBSD crew to give us something to depend on.
> (and Matthew Marsh's PakSecured of course)

-blush- And agreed - the {Open,Net,Free}BSD crew(s) are very vigilant.
Personally I have met Theo and dislike him even more for having met him
but that is nothing against the BSD(s) just him.

Heh - this whole thing has been very interesting in seeing how the
religions^H^HUnixes stack up. BugTraq and several of the other security
lists have exploded with arguments. And some good info is floating amongst
the yelling.

> imho - "Insecurity is better than a false sense of security."
>
>   Brian Wiese | bwiese at cotse.com | aim: unolinuxguru
> ------------------------------------------------------
>   GnuPG/PGP key 0x1E820A73 | "FREEDOM!" - Braveheart

--------------------------------------------------
Matthew G. Marsh,  President
Paktronix Systems LLC
1506 North 59th Street
Omaha  NE  68104
Phone: (402) 932-7250
Email: mgm at midwestlinux.com
WWW:  http://www.midwestlinux.com
--------------------------------------------------


-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_

For help contact olug-help at olug.org - run by ezmlm
to unsubscribe, send mail to olug-unsubscribe at olug.org
or `mail olug-unsubscribe at olug.org < /dev/null`
(c)1998-2002 OLUG http://www.olug.org

-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_

More information about the OLUG mailing list