[olug] Theo can bite me. [or "OpenSSH Vulnerability"]

Christopher Cashell topher at zyp.org
Thu Jun 27 01:46:42 UTC 2002


I will admit from the start, that Theo de Raadt annoys me. I've seen and
participated in e-mail discussions with him before, and I've nearly
never seen a pleasant discussion where he's involved. I don't like him.

However, the whole thing with the recent OpenSSH security
vulnerability[1] really annoys me. His poor handling of the "exploit"
has cost a lot of people a great deal of time, effort, and hard work,
and for many of us, unnecessarily so.

Here are the basic facts, as I understand them:

  o  All versions of OpenSSH < 3.4 are vulnerable to exploit. (Rumor has
     it that versions prior to 2.3 are not vulnerable, but I've not been
     able to positively verify this.)

  o  Theo de Raadt has been telling everyone that they must upgrade to
     OpenSSH 3.3 immediately, while admitting that this does not fix
     the security hole (it does reduce the impact it has, though).

  o  Theo (falsely) claimed that there was no patch or fix available
     for this security exploit, implying that it required a source code
     change, wouldn't be available until a new release of OpenSSH was
     released.

  o  Thousands of people were left with very little information, and
     were forced to spend the time and effort to protect their systems,
     upgrade OpenSSH, then test and verify it. Additionally, OpenSSH
     3.3 has known bugs on many platforms (compression doesn't work on
     all operating systems, including Linux 2.2.x kernels, PAM support
     isn't complete, and breaks on many systems, etc).

  o  The claim that all systems making use of OpenSSH < 3.4 are
     vulnerable is untrue.

  o  The majority of systems out there using OpenSSH are in fact not
     vulnerable by the default setup. (Although, OpenBSD is.)

  o  Your OpenSSH installation is only vulnerable to this security
     problem if you have RSA based rhosts authentication turned on, AND
     you have S/KEY authentication turned on. Both of these options
     must be compiled in and enabled (most default setups leave both of
     these disabled, even if compiled in)

  o  You can ensure that your systems are safe and secure from this bug
     simply by editing the sshd_config (in /etc/ or /etc/ssh/), and
     adding the directive: ChallengeResponseAuthentication no, or if
     you already have that directive listed, change it to no. That's
     correct, no additional patching or upgrades are needed.

As far as I can tell, the only real reason that Theo didn't release this
fix sooner, was so that he could ram his Privilege Separation feature in
OpenSSH >= 3.3 down our throats. While I think this is a good feature in
the long run, I seriously dislike running a program, especially one like
ssh, that was released less than a week ago, on a production server.
Especially when there are known bugs with it. I doubt all of these bugs
have been fixed in OpenSSH 3.4.

I hope I haven't annoyed everyone too much with this little rant, but a
someone who spent a considerable amount of time upgrading half a dozen
machines in the past two days, only to find out that none of them were
ever even vulnerable to this exploit, I'm really pissed off.  And even
though this is a rant, I wanted to make sure everyone knew what was
going on.

[1] http://online.securityfocus.com/archive/1/278818/2002-06-23/2002-06-29/0

--
Christopher


-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_

For help contact olug-help at olug.org - run by ezmlm
to unsubscribe, send mail to olug-unsubscribe at olug.org
or `mail olug-unsubscribe at olug.org < /dev/null`
(c)1998-2002 OLUG http://www.olug.org

-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_




More information about the OLUG mailing list