Upcoming OpenSSH vulnerability

Douglas E. Engert deengert at anl.gov
Wed Jun 26 08:52:58 EST 2002 

You response appears to have address many of my points of concern. And I realize
that you and your group must be under a lot of presure at this time. So thanks for
taking the time to respond.

Ben Lindstrom wrote:
> 
> On Tue, 25 Jun 2002, Douglas E. Engert wrote:
> 
> > >From all of the e-mail recently, it appears that the "solution" to the
> > upcomming OpenSSH vulnerability will be to run OpenSSH-3.3 with the Privilege
> > Separation enabled.
> >
> > This scares the daylights out of me! Think about what you are doing here.
> >
> >  (1) OpenSSH 3.3 with the privsep code has been only out for less then a week.
> >
> Incorrect, 3.1 has Privsep. 

I am sorry, but I don't see it in the version I have: openssh-3.1p1.tar.gz
But that's a minor point. 

> 
> >  (2) Its hundreds of lines of code.
> >
> >  (3) The privsep does not run on all platforms
> >
> If vendors would have started back in 3.1 helping us (over a month ago
> now?) this would not be an issue.

Yes that would have been helpful.

> 
> >  (4) The privsep does not work with all the features in current ssh.
> >
> What features?  

"Compression is disabled on some systems, and the many varieties of PAM are causing
 major headaches."  (From: Theo de Raadt <deraadt at cvs.openbsd.org> 6/24)
  

You have debugging information?  Patches?  Solutions?  or
> are you just blowing steam?

No debuging yet, I just got 3.3 without privsep working today with GSSAPI.
I am going by what I have been reading in recent e-mails. 

> 
> >  (5) The privsep code has SSHD using here-to-for unused operating
> >system features.
> >
> Umm.. you wish to clarify this babble? 

This appears to be the first time SSH is using shared memmory, and the 
passing of FDs. 

> 
> >  (6) People with local modifications to SSH may not be able to
> >      integrate them in such a short time frame.
> >
> > Don't get me wrong, the privsep concept looks like a great idea, as a second
> > line of defense. But it should not be the primary defense.
> >
> > A fix is needed for the original bug. You still need it to keep the hackers
> > off the machine. Saying that they are confined to the unprivileged child process
> > still lets then have access to cycles and the network where they can try and
> > attack the operating system and your network from inside.
> >
> 
> Look at it this way.  Do you want us to release the expliot and the patch
> now?  

No, What I would like you to do is release the patch when it is ready. But correct
me if I am wrong, from all the e-mail about using privsep, I was worried that 
it would be the solution.  If you have a patch for the real problem, that would be great. 

> Or would you rather have us wait the few days to gather patch fixes
> so hopefully 70% of those following along can at least be semiprotected?
> 
> This is the correct course of action.  I agree with Theo's reasons 100%.
> 
> > The other aspect of this is the reliability of 3.3. With all the new code
> > what other problems might be introduced?
> >
> 
> You bothered to help us test?  I've not seen a patch from you nor any
> testing data?   I'm starting to get sick and tired of people whining but
> not doing one bit of useful work.

Actually I have been very happy with the support of the OpenSSH, 
and was trying to test this week with 3.3 with GSSAPI modifications 
and Krb5-1.2.5 on Solaris, then HPUX, AIX, and SGI. 
Unfortunatly the GSS code needs work if it is to be used with privsep. I have
been in touch with Simon Wilkinsonn on this.  

That is my main concern. If the upcoming solution was to rely mainly on privsep,
then I have a major problem. Your comments imple that it will not.  
   
> 
> I hear it on bugtraq, I hear it on slashdot, and I hear it on #unix and
> #unixhelp on efnet.  Frankly.  I'm starting to understand thy Theo and
> other take the...
> 
>                 "Sit down, shutup and code."  mindset.
> 
> > If you publish the problem, with out a real fix, and expect everyone to
> > implement 3.3 with privsep you will have a lot of people upset who can't run 3.3 or
> > can't run the privsep code. These people will be left out in the cold.
> >
> 
> Privsep is a stopgap.... If you are stupid enough to think that we sould
> leave an expliot around in our tree just because we don't want to publish
> it.  Your extremely wrong.

Thanks for pointing that out. I am trying to encourage you to provide the fix.
As I don't believe I have the option to rely on the privsep alone. 

> 
> > You need to provide a universal fix for all, not a partial fix for only some.
> >
> 
> You bothered to read the the announcement by Theo?  THERE WILL BE A FIX.
> However, we want to ensure we can get as many people to a semi-safe
> position *BEFORE* every black hat in the gawd damn net gets their hands on
> it.
> 
> Ain't that a good idea? =)  Or would you rather have a hacker crack your
> system before you even get a chance to patch it?  Take your choice.

I realize you must be under a lot of presure to get this problem fixed, 
and I intend to apply the fix as soon as it is released.

 
> 
> - Ben

-- 

 Douglas E. Engert  <DEEngert at anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444

More information about the openssh-unix-dev mailing list