Upcoming OpenSSH vulnerability

Ben Lindstrom mouring at etoh.eviladmin.org
Wed Jun 26 07:51:47 EST 2002 

On Tue, 25 Jun 2002, Douglas E. Engert wrote:

> >From all of the e-mail recently, it appears that the "solution" to the
> upcomming OpenSSH vulnerability will be to run OpenSSH-3.3 with the Privilege
> Separation enabled.
>
> This scares the daylights out of me! Think about what you are doing here.
>
>  (1) OpenSSH 3.3 with the privsep code has been only out for less then a week.
>
Incorrect, 3.1 has Privsep.


>  (2) Its hundreds of lines of code.
>
>  (3) The privsep does not run on all platforms
>
If vendors would have started back in 3.1 helping us (over a month ago
now?) this would not be an issue.

>  (4) The privsep does not work with all the features in current ssh.
>
What features?  You have debugging information?  Patches?  Solutions?  or
are you just blowing steam?

>  (5) The privsep code has SSHD using here-to-for unused operating
>system features.
>
Umm.. you wish to clarify this babble?

>  (6) People with local modifications to SSH may not be able to
>      integrate them in such a short time frame.
>
> Don't get me wrong, the privsep concept looks like a great idea, as a second
> line of defense. But it should not be the primary defense.
>
> A fix is needed for the original bug. You still need it to keep the hackers
> off the machine. Saying that they are confined to the unprivileged child process
> still lets then have access to cycles and the network where they can try and
> attack the operating system and your network from inside.
>

Look at it this way.  Do you want us to release the expliot and the patch
now?  Or would you rather have us wait the few days to gather patch fixes
so hopefully 70% of those following along can at least be semiprotected?

This is the correct course of action.  I agree with Theo's reasons 100%.

> The other aspect of this is the reliability of 3.3. With all the new code
> what other problems might be introduced?
>

You bothered to help us test?  I've not seen a patch from you nor any
testing data?  I'm starting to get sick and tired of people whining but
not doing one bit of useful work.

I hear it on bugtraq, I hear it on slashdot, and I hear it on #unix and
#unixhelp on efnet.  Frankly.  I'm starting to understand thy Theo and
other take the...

		"Sit down, shutup and code."  mindset.


> If you publish the problem, with out a real fix, and expect everyone to
> implement 3.3 with privsep you will have a lot of people upset who can't run 3.3 or
> can't run the privsep code. These people will be left out in the cold.
>

Privsep is a stopgap.... If you are stupid enough to think that we sould
leave an expliot around in our tree just because we don't want to publish
it.  Your extremely wrong.

> You need to provide a universal fix for all, not a partial fix for only some.
>

You bothered to read the the announcement by Theo?  THERE WILL BE A FIX.
However, we want to ensure we can get as many people to a semi-safe
position *BEFORE* every black hat in the gawd damn net gets their hands on
it.

Ain't that a good idea? =)  Or would you rather have a hacker crack your
system before you even get a chance to patch it?  Take your choice.

- Ben

More information about the openssh-unix-dev mailing list