[olug] Theo can bite me. [or "OpenSSH Vulnerability"]

Brian Wiese bwiese at cotse.com
Thu Jun 27 23:37:09 UTC 2002


On Wed, 26 Jun 2002 21:42:05 -0500
Phil Brutsche <phil at brutsche.us> wrote:

|Christopher Cashell wrote:
|> I will admit from the start, that Theo de Raadt annoys me. I've seen
and
|> participated in e-mail discussions with him before, and I've nearly
|> never seen a pleasant discussion where he's involved. I don't like him.
|
|For some people (like me!) he's THE reason why they don't even THINK 
|about using OpenBSD... just so that they don't have to deal with his 
|paranoia.
|

For some people (like me!) he's THE reason why they don't even THINK about
using ANYTHING OTHER THAN OpenBSD... just cuz it's usually so darn secure.
 I like paranoia sometimes. =)

|> However, the whole thing with the recent OpenSSH security
|> vulnerability[1] really annoys me. His poor handling of the "exploit"
|> has cost a lot of people a great deal of time, effort, and hard work,
|> and for many of us, unnecessarily so.
|> 
|> Here are the basic facts, as I understand them:
|> 
|>   o  All versions of OpenSSH < 3.4 are vulnerable to exploit. (Rumor
has
|>      it that versions prior to 2.3 are not vulnerable, but I've not
been
|>      able to positively verify this.)
|
| From what I've read and can tell, that's partially true: the bugs are 
|only in code paths concerning SSH protocol v2; OpenSSH v1 -> v1.2.3 
|aren't affected in that case.

Uhm... from what I remember, any SSH protocol less than v2 is INsecure...
kinda like Telnet.

|
|The buggy code was probably introduced in v2.3.
|
|>   o  Theo de Raadt has been telling everyone that they must upgrade to
|>      OpenSSH 3.3 immediately, while admitting that this does not fix
|>      the security hole (it does reduce the impact it has, though).
|
|What he said is only partially true; he recommended v3.3 because of the 
|priviledge separation code (the buggy code would run in a chroot as an 
|unprivileged UID), which was first introduced in v3.2.
|
|The big difference is that v3.3's priviledge separation feature is on by 
|default and is more mature code.

I'm down with that. 

|
|>   o  Theo (falsely) claimed that there was no patch or fix available
|>      for this security exploit, implying that it required a source code
|>      change, wouldn't be available until a new release of OpenSSH was
|>      released.
|
|1) 99% of the time correctly fixing a security bug involves a source 
|code change
|
|2) He didn't even bother to tell people how to *work* *around* the 
|problem (ie "Disable option XYZ in sshd_config until we can produce a
fix")
|
|[...]

yeah, "Disable option XYZ" woulda been nice... but more mature code? +++
Perhaps disabling the options is only a 'temporary' fix and should not be
relied upon that "ok, disabled XYZ.. I'm secure now. = forget about it"?

|> I hope I haven't annoyed everyone too much with this little rant, but a
|> someone who spent a considerable amount of time upgrading half a dozen
|> machines in the past two days, only to find out that none of them were
|> ever even vulnerable to this exploit, I'm really pissed off.  And even
|> though this is a rant, I wanted to make sure everyone knew what was
|> going on.

nah man, appreciate all the info. I didn't know about 1/2 of that stuff!

|And so that people could know what a frelling paranoid ass (pardon the 
|french) Theo is!

"It's not paranoia, if they're really after you." - Enemy of the State

There are some operations that RELY on security, they better be paranoid
if they are constantly under attack.  We need secure OSs and paranoid code
auditing hackers like the OpenBSD crew to give us something to depend on. 
(and Matthew Marsh's PakSecured of course)

imho - "Insecurity is better than a false sense of security."

  Brian Wiese | bwiese at cotse.com | aim: unolinuxguru
------------------------------------------------------
  GnuPG/PGP key 0x1E820A73 | "FREEDOM!" - Braveheart 

-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_

For help contact olug-help at olug.org - run by ezmlm
to unsubscribe, send mail to olug-unsubscribe at olug.org
or `mail olug-unsubscribe at olug.org < /dev/null`
(c)1998-2002 OLUG http://www.olug.org

-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_




More information about the OLUG mailing list