Upcoming OpenSSH vulnerability

Theo de Raadt deraadt at cvs.openbsd.org
Wed Jun 26 10:23:52 EST 2002 

Obviously you can't think this thing through.  Everyone who
understands, please educate him.  I'm sick of people who are not
thinking this through.

> Date: Tue, 25 Jun 2002 16:47:03 -0500
> From: "Douglas E. Engert" <deengert at anl.gov>
> X-Mailer: Mozilla 4.79 [en] (Windows NT 5.0; U)
> X-Accept-Language: en
> MIME-Version: 1.0
> CC: openssh-unix-dev at mindrot.org, openssh at openbsd.org
> Subject: Upcoming OpenSSH vulnerability
> References: <20020625104024.GA29885 at faui02> <20020625171724.GA2020 at jenny.crlsca.adelphia.net>
> Content-Type: text/plain; charset=us-ascii
> Content-Transfer-Encoding: 7bit
> 
> >From all of the e-mail recently, it appears that the "solution" to the
> upcomming OpenSSH vulnerability will be to run OpenSSH-3.3 with the Privilege 
> Separation enabled.
> 
> This scares the daylights out of me! Think about what you are doing here. 
> 
>  (1) OpenSSH 3.3 with the privsep code has been only out for less then a week. 
> 
>  (2) Its hundreds of lines of code. 
> 
>  (3) The privsep does not run on all platforms
> 
>  (4) The privsep does not work with all the features in current ssh.
> 
>  (5) The privsep code has SSHD using here-to-for unused operating system features.
> 
>  (6) People with local modifications to SSH may not be able to 
>      integrate them in such a short time frame.
> 
> Don't get me wrong, the privsep concept looks like a great idea, as a second
> line of defense. But it should not be the primary defense. 
> 
> A fix is needed for the original bug. You still need it to keep the hackers 
> off the machine. Saying that they are confined to the unprivileged child process 
> still lets then have access to cycles and the network where they can try and 
> attack the operating system and your network from inside. 
> 
> The other aspect of this is the reliability of 3.3. With all the new code 
> what other problems might be introduced?     
> 
> If you publish the problem, with out a real fix, and expect everyone to
> implement 3.3 with privsep you will have a lot of people upset who can't run 3.3 or 
> can't run the privsep code. These people will be left out in the cold. 
> 
> You need to provide a universal fix for all, not a partial fix for only some.
> 
> Thanks for listening. 
> 
> -- 
> 
>  Douglas E. Engert  <DEEngert at anl.gov>
>  Argonne National Laboratory
>  9700 South Cass Avenue
>  Argonne, Illinois  60439 
>  (630) 252-5444

More information about the openssh-unix-dev mailing list