Date: Mon, 02 Nov 1998 14:33:10 -0600 From: "Jeffrey J. Mountin" <jeff-ml@mountin.net> To: mike@seidata.com, freebsd-security@FreeBSD.ORG Subject: Re: SSH vsprintf patch. (You've been warned Mr. Glass) Message-ID: <3.0.3.32.19981102143310.0102652c@207.227.119.2> In-Reply-To: <Pine.BSF.4.05.9811020901240.7807-100000@ns1.seidata.com> References: <Pine.BSF.4.02.9811020233260.17054-100000@sasami.jurai.net>
next in thread | previous in thread | raw e-mail | index | archive | help
At 09:09 AM 11/2/98 -0500, mike@seidata.com wrote: >[snip] > >Question: > >How did a discussion that was meant to logically determine the >(un)importance of potential ssh vulnerabilities degrade into a >childish "Linux is for lusers" (I guess I should respect the opinion >of one who can't spell) argument which is currently doing little more >than stating what we all (at least should) already know? Anyone using ssh should know potential problems with various configurations. >While this thread grows, consumes more and more bandwidth, and gets >more off-topic, who's actually working on this problem and attempting >to resolve it? JKH's posts are the only one's I've seen that are >level headed - let's not go off on tangents and make speculations that >in no way help our cause. There's work to be done. Agreed and any discussion about various ssh auth methods should be complete, otherwise there could be a discussion lasting forever on a if-then basis. >My (and hopefully the list's) repsect to the individual(s) who >actually comes up with proof-of-concept exploit code (to either prove >or disprove ssh claims). Any exploit would also depend on how ssh is configured. After reading the forwarded bulletin and checking out the links, as well as reading all the speculation here along with "possible problems" with the code, there was not one mention of HOW rootshell was implementing ssh. If they allow password authentication through ssh, how could this be considered an exploint without knowing the ENTIRE configuration?! Surely if the configuration was poorly thought out, anyone with the password could gain access. >Sorry if this is a little terse - but I don't see how having a >mailbox full of "Did you hear this? and this... and this..." type >messages is going to help our situation. Let's fix it or shutup. I'd say more facts are needed: Rhosts/RhostsRSA? "PasswordAuthenications yes" or not? "PermitRootLogin" yes or not? If only RSA key, were there only certain hosts that could use the key? Or were they using wrapper to limit where connections could come from? Or were there firewall rules to limit connections to ssh? Or what combinations of any? etc, etc, etc There are just too many possibilities and since rootshell has NOT released any of this, we can only speculate. Sure there are many ways "to shoot oneself in the foot," but there are services that some use that need a bit of work in other areas to protect them. NFS would be a good one, since it was mentioned in this thread. Using NIS would be another one, but many services depend on "sane" implementations. Also you can't fix something if you don't know how to break it or this case, how it was broken. Even so, I can appreciate someone doing an audit of sshd's code and pointing out *potential* problems and possibly providing a "fix" to the FBSD port version. Not one mentions IBM's suggestions and if they should be used. Would using some of the code from ssh2 be an improvement, since ssh2 was an almost complete rewrite. Vaguely amused by the article at ssh.fi and moderately concerned that a system, paraphrasing them, "using only ssh for connection" was compromized. Continued discussion should about how one should configure sshd properly, especially if it will be the only access method allowed. I'm concerned, but don't care to run around and cry "the sky is falling" without knowing WHY it is falling, if indeed it is. regards Jeff Mountin - Unix Systems TCP/IP networking jeff@mountin.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.3.32.19981102143310.0102652c>