From owner-freebsd-security  Mon Jun 24 21:19:54 2002
Delivered-To: freebsd-security@freebsd.org
Received: from edgemaster.zombie.org (ip68-13-69-9.om.om.cox.net [68.13.69.9])
	by hub.freebsd.org (Postfix) with ESMTP
	id DAED837B400; Mon, 24 Jun 2002 21:19:46 -0700 (PDT)
Received: by edgemaster.zombie.org (Postfix, from userid 1001)
	id 431B666B04; Mon, 24 Jun 2002 23:19:46 -0500 (CDT)
Date: Mon, 24 Jun 2002 23:19:46 -0500
From: Sean Kelly <smkelly@zombie.org>
To: Theo de Raadt <deraadt@cvs.openbsd.org>
Cc: Ted Cabeen <secabeen@pobox.com>,
	"Jacques A. Vidrine" <nectar@FreeBSD.ORG>,
	freebsd-security@FreeBSD.ORG
Subject: Re: Hogwash
Message-ID: <20020625041946.GA6840@edgemaster.zombie.org>
References: <20020625032927.GA6579@edgemaster.zombie.org> <200206250332.g5P3WQLJ024062@cvs.openbsd.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <200206250332.g5P3WQLJ024062@cvs.openbsd.org>
User-Agent: Mutt/1.5.1i
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Mon, Jun 24, 2002 at 09:32:26PM -0600, Theo de Raadt wrote:
> This one is clearly different.  We have a tool which can avoid people being
> holed, without having to publish a patch.

What percentage of people? As it has already been said, FreeBSD-STABLE
still uses OpenSSH 2.9. The privsep features do not exist in this version,
and you've not clarified whether this exploit will affect this version as
well. All you've said is that everybody should upgrade now or turn it off.
Neither of those options are that entirely helpful for a lot of us out here.

> If you don't understand that, please go back and study the situation more.

I've read your BUGTRAQ post and all your posts to this list. I don't think
I'm missing anyting important about the situation. If you don't understand
my position, I suggest you go back and study it some more. I'm sure there
are several people in the production world that will be happy to explain to
you why neither of your options (upgrade or turn it off) are good ones.
Maybe you could be learning about this instead of manning your e-mail
client all day responding to messages like this one?

> By holding this information back for a few more days, we are
> permitting a very important protocol to be upgraded in an immune way,
> OR YOU CAN TURN IT OFF NOW.

I recall there being a root exploit in the BSD telnetd almost a year ago.
That bug affected such vendors as HP, Sun, NetBSD, IBM, FreeBSD, Cray, ...
I don't remember such a big issue made out of it. I'd also wager that
telnetd is used as much or more than ssh.
 
You also failed to address my questions and concerns about the newness of
the privsep features. It seems to me that you are using that as a crutch,
or "security through obscurity". The fact(?) remains that there is an
exploit. Granted you won't tell us anything about it, but it seems to me
that you should focus more on fixing the broken code than advocating some
new feature in the cutting edge version of OpenSSH. I've read in several
places that the privsep version of OpenSSH has many PAM issues, which is an
even greater reason not to upgrade.

I reiterate, instead of using this time as a soapbox to get people to help
you test and perfect privsep you should be fixing the known bugs. If I
wanted to be using new stuff, I'd be running FreeBSD-CURRENT.

> > On Mon, Jun 24, 2002 at 08:03:08PM -0600, Theo de Raadt wrote:
> > > I'm not giving away any hints.  Assume the worst and do the upgrade,
> > > and if you dislike the way I handled this, don't buy me that beer
> > > later.
> > 
> > I'm just curious when this OpenBSD policy change took effect.  According to
> > http://www.openbsd.org/security.html#disclosure:
> > 
> >      Full Disclosure
> >           Like many readers of the BUGTRAQ mailing list, we believe in
> >           full disclosure of security problems. In the operating system
> >           arena, we were probably the first to embrace the concept. Many
> >           vendors, even of free software, still try to hide issues from
> >           their users.
> > 
> >           Security information moves very fast in cracker circles. On the
> >           other hand, our experience is that coding and releasing of
> >           proper security fixes typically requires about an hour of work
> >           -- very fast fix turnaround is possible. Thus we think that
> >           full disclosure helps the people who really care about
> >           security.
> > 
> > Not all of us are in the position to use cutting edge OpenSSH-portable
> > versions. By you holding back this information, you are only hurting those
> > who *CAN'T* upgrade to your latest and greatest. Has there actually been
> > enough testing of privsep to say that it contains no bugs? It seems to me
> > that we'd all be better off if you just released a diff and let us all fix
> > our own wounds.
> > 
> > -- 
> > Sean Kelly         | PGP KeyID: 77042C7B
> > smkelly@zombie.org | http://www.zombie.org

-- 
Sean Kelly         | PGP KeyID: 77042C7B
smkelly@zombie.org | http://www.zombie.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message