Followup on Inquiry about regreSSHion postmortem

Loganaden Velvindron loganaden at gmail.com
Wed Aug 20 21:11:32 AEST 2025 

On Wed, 20 Aug 2025 at 14:50, Rene Malmgren <rene.malmgren at redtoken.ae> wrote:
>
> Before I say anything, about the matter at hand I would like to comment on a few general things. I have been using ssh for about 30 years. OpenSSH has been the implementation that I have used by far the most, so its and understatement that I take not pleasure in the statement below. But on the other hand, cybersecurity is important to me, and it is totally unacceptable to be in a situation where backdoors a purposely introduced into the most critical software our society depends on by its lead developer, and nothing happens.
>
> First of all, it is incorrect to say (as Demian does below) that I am accusing anybody of anything, I am not a prosecutor so it's not my role to accuse people of things. What I do is that I go over code and make assessments of what has happened and from that make recommendation about actions our customers should take to avoid being targeted by attackers in the future, I work in the crypto industry so for us security matters, so this should be no small matter.
>
> I made a post mortem on CVE-2024-6387 when it was released and my clear recommendations based on the evidence found in the gitlogs was (and still is): decommission and replace.  Actually, looking at how the open-ssh community has handled what has happened the recommendation is if anything on more firm ground, more on that below.
>
> I have made a rewrite of the original recommendation that was in a PDF on my (private) blog, if anybody is interested.
>
> https://againstallflags.wordpress.com/2025/08/05/regrettable-regresshion/

I read your report.

Your conclusion is that to "decomission and replace openssh" with
dropbear which lacks several proactive security features
found in openssh like privsep, and sandboxing ?

I disagree strongly with your assessment from a security PoV.  As
stated before, I'm still surprised that more of those mistakes
have not happened. Several open source projects have 1 person paid
full-time to support only the build system (CI/CD).
djm can make mistakes. I made a mistake too that was committed to
OpenBSD several years ago.

You can help openssh get better by actually sending bug reports before
a release is made. Isn't this a better course of action ?

More information about the openssh-unix-dev mailing list