Re: [ILUG] openssh vulnerability

From: Rick Moen (rick at domain linuxmafia.com)
Date: Wed 26 Jun 2002 - 01:26:46 IST

• Next message: Rick Moen: "Re: [ILUG] openssh vulnerability"
• Previous message: Paul Kelly: "Re: [ILUG] openssh vulnerability"
• In reply to: Paul Kelly: "Re: [ILUG] openssh vulnerability"
• Next in thread: Paul Jakma: "RE: [ILUG] openssh vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
• Mail actions: [ respond to this message ] [ mail a new topic ]

Quoting Paul Kelly (longword at domain esatclear.ie):

> Have a read of the Debian announcement on the subject. They seem nearly
> as unhappy with the situation as I am. They're a good bit more
> diplomatic of course. They don't seem to have been provided with, nor
> consulted on the distribution of a patched OpenSSH to combat the bug.
> Apparently (unsubstantiated slashdot rumour that sounds plausible)
> PrivSec can't work properly yet on 2.2 kernels so Debian can't even
> release that for their stable distribution. On a timescale of a few days
> I think it's unreasonable to expect PrivSec to work perfectly (read
> trustworthy) on a 2.2 Linux kernel, or on a PAM-based distribution.

A few things:

1. MandrakeSoft found a PAM glitch w/3.3p1 that denies login to people
with expired passwords. (They're supposed to get a chance to change
passwords.)

2. Debian developers have found that 3.3p1's priv sep breaks PAM's
support of OpenSSH with the OPIE patch.

3. It's widely claimed that priv sep is incompatible with SSH-stream
compression on Linux 2.2 kernels. However, I did one day of testing
on kernel 2.2.19 machines (my servers being crummy old uniprocessor
boxes), without disabling compression, and saw no problems -- for
whatever that's worth.

Other glitches, especially in PAM support, may be coming out as we
discuss this. Stay tuned.

> I just need to know that when details are released, I'll have updated
> packages the same day for my favourite major distribution. Without
> forcing me to use beta quality code in so vital a tool.

Using beta code in such a critical area makes me unhappy, too -- but
strikes me as the least of various evils. In case nobody else mentioned
it, priv sep was introduced in _March_ in the OpenBSD/NetBSD version,
but only very recently in the "portable" OpenSSH codebase that the rest
of *ix-dom uses.

And that, in turn, seems to explain why PAM is the problem area:
OpenBSD and NetBSD have thus far eschewed PAM. So, the PAM integration
is, to put it delicately, a bit raw.

-- 
Cheers,   The difference between common sense and paranoia is that common sense
Rick Moen     is thinking everyone is out to get you.  That's normal; they are.
rick at domain linuxmafia.com      Paranoia is thinking they're conspiring.  -- J. Kegler

• Next message: Rick Moen: "Re: [ILUG] openssh vulnerability"
• Previous message: Paul Kelly: "Re: [ILUG] openssh vulnerability"
• In reply to: Paul Kelly: "Re: [ILUG] openssh vulnerability"
• Next in thread: Paul Jakma: "RE: [ILUG] openssh vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
• Mail actions: [ respond to this message ] [ mail a new topic ]

This archive was generated by hypermail 2.1.6 : Thu 06 Feb 2003 - 13:17:32 GMT