[olug] Theo can bite me. [or "OpenSSH Vulnerability"]

Phil Brutsche phil at brutsche.us
Thu Jun 27 02:42:05 UTC 2002


Christopher Cashell wrote:
> I will admit from the start, that Theo de Raadt annoys me. I've seen and
> participated in e-mail discussions with him before, and I've nearly
> never seen a pleasant discussion where he's involved. I don't like him.

You're not the first person to notice that Theo is like a flamable 
gas... introducing him to a touchy (aka "hot") topic will produce a lot 
of fire.

For some people (like me!) he's THE reason why they don't even THINK 
about using OpenBSD... just so that they don't have to deal with his 
paranoia.

> However, the whole thing with the recent OpenSSH security
> vulnerability[1] really annoys me. His poor handling of the "exploit"
> has cost a lot of people a great deal of time, effort, and hard work,
> and for many of us, unnecessarily so.
> 
> Here are the basic facts, as I understand them:
> 
>   o  All versions of OpenSSH < 3.4 are vulnerable to exploit. (Rumor has
>      it that versions prior to 2.3 are not vulnerable, but I've not been
>      able to positively verify this.)

 From what I've read and can tell, that's partially true: the bugs are 
only in code paths concerning SSH protocol v2; OpenSSH v1 -> v1.2.3 
aren't affected in that case.

The buggy code was probably introduced in v2.3.

>   o  Theo de Raadt has been telling everyone that they must upgrade to
>      OpenSSH 3.3 immediately, while admitting that this does not fix
>      the security hole (it does reduce the impact it has, though).

What he said is only partially true; he recommended v3.3 because of the 
priviledge separation code (the buggy code would run in a chroot as an 
unprivileged UID), which was first introduced in v3.2.

The big difference is that v3.3's priviledge separation feature is on by 
default and is more mature code.

>   o  Theo (falsely) claimed that there was no patch or fix available
>      for this security exploit, implying that it required a source code
>      change, wouldn't be available until a new release of OpenSSH was
>      released.

1) 99% of the time correctly fixing a security bug involves a source 
code change

2) He didn't even bother to tell people how to *work* *around* the 
problem (ie "Disable option XYZ in sshd_config until we can produce a fix")

[...]

> I hope I haven't annoyed everyone too much with this little rant, but a
> someone who spent a considerable amount of time upgrading half a dozen
> machines in the past two days, only to find out that none of them were
> ever even vulnerable to this exploit, I'm really pissed off.  And even
> though this is a rant, I wanted to make sure everyone knew what was
> going on.

And so that people could know what a frelling paranoid ass (pardon the 
french) Theo is!

Phil


-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_

For help contact olug-help at olug.org - run by ezmlm
to unsubscribe, send mail to olug-unsubscribe at olug.org
or `mail olug-unsubscribe at olug.org < /dev/null`
(c)1998-2002 OLUG http://www.olug.org

-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_




More information about the OLUG mailing list