No subject

Thu Nov 2 09:08:48 EST 2006

upcomming OpenSSH vulnerability will be to run OpenSSH-3.3 with the Privilege 
Separation enabled.

This scares the daylights out of me! Think about what you are doing here. 

 (1) OpenSSH 3.3 with the privsep code has been only out for less then a week. 

 (2) Its hundreds of lines of code. 

 (3) The privsep does not run on all platforms

 (4) The privsep does not work with all the features in current ssh.

 (5) The privsep code has SSHD using here-to-for unused operating system features.

 (6) People with local modifications to SSH may not be able to 
     integrate them in such a short time frame.

Don't get me wrong, the privsep concept looks like a great idea, as a second
line of defense. But it should not be the primary defense. 

A fix is needed for the original bug. You still need it to keep the hackers 
off the machine. Saying that they are confined to the unprivileged child process 
still lets then have access to cycles and the network where they can try and 
attack the operating system and your network from inside. 

The other aspect of this is the reliability of 3.3. With all the new code 
what other problems might be introduced?     

If you publish the problem, with out a real fix, and expect everyone to
implement 3.3 with privsep you will have a lot of people upset who can't run 3.3 or 
can't run the privsep code. These people will be left out in the cold. 

You need to provide a universal fix for all, not a partial fix for only some.

Thanks for listening. 


 Douglas E. Engert  <DEEngert at>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444

More information about the openssh-unix-dev mailing list