Upcoming OpenSSH vulnerability
Douglas E. Engert
deengert at anl.gov
Wed Jun 26 08:52:58 EST 2002
You response appears to have address many of my points of concern. And I realize
that you and your group must be under a lot of presure at this time. So thanks for
taking the time to respond.
Ben Lindstrom wrote:
>
> On Tue, 25 Jun 2002, Douglas E. Engert wrote:
>
> > >From all of the e-mail recently, it appears that the "solution" to the
> > upcomming OpenSSH vulnerability will be to run OpenSSH-3.3 with the Privilege
> > Separation enabled.
> >
> > This scares the daylights out of me! Think about what you are doing here.
> >
> > (1) OpenSSH 3.3 with the privsep code has been only out for less then a week.
> >
> Incorrect, 3.1 has Privsep.
I am sorry, but I don't see it in the version I have: openssh-3.1p1.tar.gz
But that's a minor point.
>
> > (2) Its hundreds of lines of code.
> >
> > (3) The privsep does not run on all platforms
> >
> If vendors would have started back in 3.1 helping us (over a month ago
> now?) this would not be an issue.
Yes that would have been helpful.
>
> > (4) The privsep does not work with all the features in current ssh.
> >
> What features?
"Compression is disabled on some systems, and the many varieties of PAM are causing
major headaches." (From: Theo de Raadt <deraadt at cvs.openbsd.org> 6/24)
You have debugging information? Patches? Solutions? or
> are you just blowing steam?
No debuging yet, I just got 3.3 without privsep working today with GSSAPI.
I am going by what I have been reading in recent e-mails.
>
> > (5) The privsep code has SSHD using here-to-for unused operating
> >system features.
> >
> Umm.. you wish to clarify this babble?
This appears to be the first time SSH is using shared memmory, and the
passing of FDs.
>
> > (6) People with local modifications to SSH may not be able to
> > integrate them in such a short time frame.
> >
> > Don't get me wrong, the privsep concept looks like a great idea, as a second
> > line of defense. But it should not be the primary defense.
> >
> > A fix is needed for the original bug. You still need it to keep the hackers
> > off the machine. Saying that they are confined to the unprivileged child process
> > still lets then have access to cycles and the network where they can try and
> > attack the operating system and your network from inside.
> >
>
> Look at it this way. Do you want us to release the expliot and the patch
> now?
No, What I would like you to do is release the patch when it is ready. But correct
me if I am wrong, from all the e-mail about using privsep, I was worried that
it would be the solution. If you have a patch for the real problem, that would be great.
> Or would you rather have us wait the few days to gather patch fixes
> so hopefully 70% of those following along can at least be semiprotected?
>
> This is the correct course of action. I agree with Theo's reasons 100%.
>
> > The other aspect of this is the reliability of 3.3. With all the new code
> > what other problems might be introduced?
> >
>
> You bothered to help us test? I've not seen a patch from you nor any
> testing data? I'm starting to get sick and tired of people whining but
> not doing one bit of useful work.
Actually I have been very happy with the support of the OpenSSH,
and was trying to test this week with 3.3 with GSSAPI modifications
and Krb5-1.2.5 on Solaris, then HPUX, AIX, and SGI.
Unfortunatly the GSS code needs work if it is to be used with privsep. I have
been in touch with Simon Wilkinsonn on this.
That is my main concern. If the upcoming solution was to rely mainly on privsep,
then I have a major problem. Your comments imple that it will not.
>
> I hear it on bugtraq, I hear it on slashdot, and I hear it on #unix and
> #unixhelp on efnet. Frankly. I'm starting to understand thy Theo and
> other take the...
>
> "Sit down, shutup and code." mindset.
>
> > If you publish the problem, with out a real fix, and expect everyone to
> > implement 3.3 with privsep you will have a lot of people upset who can't run 3.3 or
> > can't run the privsep code. These people will be left out in the cold.
> >
>
> Privsep is a stopgap.... If you are stupid enough to think that we sould
> leave an expliot around in our tree just because we don't want to publish
> it. Your extremely wrong.
Thanks for pointing that out. I am trying to encourage you to provide the fix.
As I don't believe I have the option to rely on the privsep alone.
>
> > You need to provide a universal fix for all, not a partial fix for only some.
> >
>
> You bothered to read the the announcement by Theo? THERE WILL BE A FIX.
> However, we want to ensure we can get as many people to a semi-safe
> position *BEFORE* every black hat in the gawd damn net gets their hands on
> it.
>
> Ain't that a good idea? =) Or would you rather have a hacker crack your
> system before you even get a chance to patch it? Take your choice.
I realize you must be under a lot of presure to get this problem fixed,
and I intend to apply the fix as soon as it is released.
>
> - Ben
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the openssh-unix-dev
mailing list