Slashdot Mirror
OpenSSH Local Root Hole
maelstrom writes: "Looks like someone's found a local root exploit for OpenSSH versions between 2.0 and 3.0.2. Seems as though its a one-off error, there is no public exploit, but there is sure to be one shortly. They aren't ruling out remote exploit. Recommending patching and upgrading ASAP."
This is just more proof that nothing is 100% secure. :-) How does that saying go, if it can be devise it what? Some want to finish that for me?
Regardless of that though, I get on my knees and thank God everyday for SSH. It's saved me many many many hassles from simply forgetting to turn it off on computers on my home's network.
Derek Greene
Ummm, RTFP!
It's a LOCAL exploit. You have to be logged in to exploit it.
--- I wish I could hear the soundtrack to my life. That way I'd know when to duck.
Actually, they may have to backdate that slogan. The problem has existed since version 2.0, so this hole would have existed since whenever they started shipping with at least version 2.0. And by the way, it is local exploit as of yet, however, remote exploitation has not been ruled out.
Geek used to be a four letter word. Now it's a six-figure one.
I assume it wouldn't be as it's on a different code base, then again 'assume means making an ASS out of U and ME'
Script kiddiesprobably has known about this for a while. Full diclosure is not only a way to get the word out so that it can be quickly patched (which apparently it already is) but also a way to kind of force people into an upgrade. That way no one with an old version of ssh is sitting there being unknowingly used for DDOS attacks because they didn't know he needed to upgrade.
Full disclosure has its downsides,but the upsides pretty much cancel them out.
Derek Greene
Its out there - at least on ftp.openssh.com. I built and installed 3.1p1 a couple of hours ago on Linux.
One-off: Something done intentionally but with no intention of repeating; a custom product, sample, or prototype.
Off-by-one error: An error in enumeration, such as starting or ending a count at the wrong value (e.g. 0 vs. 1), counting the starting/ending value in a cycle twice or not at all (e.g. in counting a group of people which includes yourself), counting delimiters as opposed to the items delimited (e.g. the "fence post" problem), or any analogous error.
These are rather different! When I read the abstract my first thought was "how can they determine that?"
-- MarkusQ
Ummmm, RTFP!
They aren't ruling out the possibility of a remote exploit.
Here is what can be found on their web site:
"OpenSSH 3.1 released March 7, 2002."
Hmmm... That was quick! Especially since the advisory reads:
Pine Internet Security Advisory
Advisory ID : PINE-CERT-20020301
Authors : Joost Pol
Issue date : 2002-03-07
Application : OpenSSH
Version(s) : All versions between 2.0 and 3.0.2
Pretty good job.
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
For you guys too lazy to read:t xt
http://www.pine.nl/advisories/pine-cert-20020301.
( I was going to post the patch here, it's really small, but apparently slashcode doesn't know what the blockquote tag is for, despite claiming it's supported)
But this isn't just an attempt at karma whoring, there is a point. When a single missing '=' can cause a root exploit in code that's generally considered well-written, who are these people that actually entertain the idea that Microsoft secured their software over the last month?
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
I can't wait for the Daniel J. Bernstein version of ssh.
-russ
Don't piss off The Angry Economist
Looks like it is already availble in tarball and RH72 RPM format.
Nah they don't.;) But I'm working on exploit code as we speak.
I'm going to disagree. Script kiddies don't look at security focus, they go looking for things to exploit the vulnerabilities written by well skills hackers/crackers. If they waiting any amount of time to upgrade, the only people who would have upgraded would have been people like me who download and install the latest version of EVERYTHING just because they can. The people with the bandwidth that need to upgrade wouldn't do it, because they can't afford the service outage. With full disclosure they'll be more or less forced into upgrading. I'm sure the multi-platform release will be done in a few hours also.
Derek Greene
You must be a troll, but for the benefit of others, OpenBSD doesn't install telnetd, named, or sendmail by default.
This kind of bug would NOT BE EXPLOITABLE if sshd was written in a modern safe language.
9 013 for more info. Synopsis: There are some reasons to use C for a project, but none apply to network daemons. As a proof of concept, I rewrote FTPD in my favorite modern language; the source went from 24,000 lines to 3000 (including support code, like PAM_MD5 password encryption), took me only a weekend to write, and is 100% buffer overflow / format string / heap corruption free.
If the canonical secure software from the canonical secure software people has bugs like this, I don't see how anyone can argue that it's possible to write secure code in C. C makes it easy to make this kind of bug, and the bugs are often exploitable.
Check out my previous post and ensuing discussion on this http://slashdot.org/comments.pl?sid=24271&cid=262
I'm trying to raise awareness about this because I think it's a real obstacle to us having secure software.
Now this is public knowledge, an exploit will be available within hours.
You do not know what you are talking about. Full disclosure has greatly improved security awareness and turn around time for fixes. If you want to turn your back on full disclosure, you are heading back into the middle-ages of computer security.
This should have been fixed before it was announced, and a period of time waited for people to upgrade.
The information was leaked by someone who jumped the gun. That is the reason why the relase and advisory happened today instead of Monday. Nothing to be done about it. Instead of bitching, fix a bug in your operating system and send a patch to the developers. Much more useful behaviour for all of us.
Of course, you should be running with ln -s AJ /etc/malloc.conf
anyway. It will fill freed memory with junk,
and quite often finds conditions where memory
is referenced after it has been freed.
In that case, there is no problem anyway. If your operating system of choice has not support for malloc debugging, looby
your developers, it is a very useful feature.
OpenSSH 3.1 was released this morning. The info and tarball for OpenBSD systems is available at:
http://www.openssh.com/openbsd.html
Mine's compiling now.
--saint
Help yourselves:
http://www.geniusweb.com/RPMS/
SSH 3.1p1 RPM's compiled without gnome-askpass, everything else is default vanilla.
My poetry site welcomes the unusual.
Unfortunately, I can't post the advisory here due to the lame lameness filter. But here are the patches:
S A- 02:13/openssh.patche eBSD/CERT/patches/SA- 02:13/openssh.patch.asc
/usr/src /path/to/sshd.patch /usr/src/secure/lib/libssh /usr/src/secure/usr.sbin/sshd /usr/src/secure/usr.bin/ssh
0 +c urrent/freebsd-announce
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/
ftp://ftp.FreeBSD.org/pub/Fr
Execute the following commands as root:
# cd
# patch <
# cd
# make depend && make all
# cd
# make depend && make all install
# cd
# make depend && make all install
If you've got the ssh port installed, check out the advisory for details on what to do:
http://docs.freebsd.org/cgi/getmsg.cgi?fetch=0+
I don't see any mention of non-suid clients in the advisory? Does any fellow /.er know if such clients are vulnerable to escalation of privileges?
This sig is false.
Phew! Thought i`d wasted the last 5 years of my professional life using the wrong language!
Has all the features any Modern Programmer could want. And it has the Highly Secure .net framework built in. What more could you want?
Best Slashdot Co
Is ssh server enabled in the default install? I would think (hope) not - You don't want to run services that you do not need, and does a workstation need sshd?
SteveB.
Errrrrm
Isn't it a bit dogey just grabbing and installing a binary (rpm) from an untrusted source (ie you) for security software like SSH ?
I'll get my source code from a reputable mirror and compile it myself thanks.
Anyone quoted by a reporter knows how little they understand
Don't believe what you read is the truth.
Since I'm probably not the only bonehead out there in this situation, could someone more knowledgable than me advise on proper procedure for upgrading OpenSSH on a remote server via an ssh connection?
My server runs 2.2.0p1. I've got the 3.1p1 source and I'm ready to go. I'm always afraid that a glitch in the build procedure - or even a success - could replace the existing 2.2.0p1 sshd binary while it's talking to me and cut me off, and if something goes wrong in the process, leave the server unreachable, which means a long drive to the colo facility to sit down with a keyboard and monitor.
Can anybody help? I've never been able to find a clear answer for this question.
TIA.
-- http://frobnosticate.com
> I cry BS. Your previous post claimed that
> performance was not a reason and yet I don't
> believe you. Wake up and stop acting as the HW
> vendors lobbyist.
Actually, I am a "modern languages" lobbyist, not hardware. =) But that's because I study and believe in programming languages, not because I have some kind of financial interest.
I'd love to respond to your post but I don't know what your point is. I guess all I can do is reiterate my point on performance:
1. sshd, running on my machine for about 8 months, has accumulated a mere 2 minutes and 30 seconds of CPU time. Of course, sshd forks off a new process for each connection, but all of the ones on my machine (some of which are at least a week old) have used 0:00. If someone knows a way I can measure the actual time spent by the daemon, I'd like to hear it, but I assume for now that it is *very small*.
2. I can easily fill my 100Mbps connection without breaking 2% CPU usage. (In other words, sshd is bandwidth limited, not CPU limited.)
3. Most home / small business users do not have 100Mbps connections, and could care less about the difference between 2% or 5% CPU usage.
4. However, most home / small business users DO care about having to download patches when their C programs contain buffer overflows.
5. Modern languages are not actually much slower than C. (I estimate worst case 2x slower, typically more like 20% for SML, which is what I wrote my FTPD in.) Being easier to write in, they also give more opportunity for high-level optimizations.
Therefore, I conclude that for almost every user, security is a more important concern than speed, at least as far as network daemons go. How can you argue the opposite?
Yes, I read it. The bug is that they write outside the end of an array.
A modern language would not catch this bug (unless you were using a data structure like a search tree instead of an array). However, it would make it NON-EXPLOITABLE, because a safe language would cause an error (ie, exception) on an out-of-bounds write, not corrupt the heap or stack and allow for an exploit.
If you had a T-1, I'm sure you know how. Since when does security focus distribute exploit code? Script kiddies scavenge ready made exploits, Security Focus doesn't provide that.
Derek Greene
Two weeks ago my Mandrake box, connected to a cable modem, was rooted. The only port open to eth0 was ssh (openssh-3.0.2p1). I analyzed the logs and they indicated someone had spent an hour trying to exploit various SSH bugs that have been fixed in the past. Then there was an 8 minute pause before "linsniffer" was installed and eth0 went into "promiscuous mode".
I haven't been able to verify openssh-3.0.2p1 was truly the cause, but it seems likely. This may have been the remote root exploit which the advisory "does not rule out".
And I thought it was just about time to go home too. Now I'm warming up my compiler... :-(
UNIX? They're not even circumcised! Savages!
As I scan through, I see several posts of people giving up hope, and even those showing signs of dispair because they have an ssh server that they don't want to remove that service from. Fear not my friends. Simply download the rpms (openssh, openssh-askpass, openssh-clients, openssh-server) and give it an old rpm -iU openssh, openssh-askpass, openssh-clients, openssh-server It'll update everyting for you /and/ restart your services real quick.
Or, if you feel like being a man, you can compile the sucker, and copy over the older versions and restart the services manually.
Either way, there is no need to dispair. You're not going to lose your ability to serve ssh securely to your users. Of course, this comes as no news to most of you, but just wanted to explain it to the people who didn't seem to understand.
If it's fixed, then that in itself announces what the fix is. Just do a diff between vN and vN+1 and see what changed. "Hey, look, it's a buffer overrun they fixed."
Security through obscurity is no security.
How many exploits can one "secure" softare package have? I mean jesus, BSD is fairly secure and this project is supposed to have BSD style security checks. What went wrong.
Information like this makes me
A. Consider purchasing SSH from a commercial source because the AMOUNT of problems with it is less
B. Going back to telnet!
Not many people out there with sniffers between my box and my connection. Lots of l33t haX0rS with worms probing port 22.
"Science is about ego as much as it is about discovery and truth " - I said it, so sue me.
How many clueless users are going to a) have a dedicate server and b) be using ssh in the first place?
Derek Greene
OK, I'll tell you a bit about it.
> Does the compiler for your favorite modern
> language support binary code optimizations that
> let your ftpd run as quickly as a popular C ftpd
Yes, mlton (for my favorite modern language, SML) produces nice native code. I would guess that my server is no more than 20% slower than a C server implemented the same way.
> Does it have a GC thread that might kick in and
> cause delays?
There is no GC thread in typical SML implementations. GC happens when an allocation fails because the heap limit is reached. GC times are typically very small (especially when amortized against essentially free allocation compared to malloc()), and in fact the compiler I'm working on at school has a real-time GC. But do you really need real-time guarantees for an FTP server? The actual transfer portion doesn't even do any allocation.
My ftpd can easily fill my 100Mbps connection at school without breaking a sweat. I don't know how many users it can handle, though.
> Or did you just use bounds-checked C++ arrays
> and strings?
C++ wouldn't guarantee safety, even if using bounds-checked arrays and strings, since you can still do things like a double free of memory. Also, I find that C++ lacks many features that make writing software much nicer in SML, but that is of course a subjective thing.
That said, my ftpd would probably need more enhancements to support a *really* popular ftp site. But I think that would not be so hard; in fact, easier than C. My server is intended for the 95% of users who run a home machine and need to transfer files from time to time, but DON'T want to get rooted because they aren't up-to-date on patches. I would be VERY surprised if there is any exploitable bug in my daemon.
(Also, I think FTP sucks too. I just did it because it's a relatively simple protocol, and at the time (summer 2001) ftp servers seemed to have the highest profile security holes.)
A hell of a lot.
(I'm in the webhosting business myself...)
Vince.
I need a sig.
I read the patch. It is not a buffer overflow in the traditional sense of strcpy, but it is an out-of-bounds write. You might consider that a buffer overflow, but maybe not. (Did I even call it that?)
Read my post again: I said that this error would NOT BE EXPLOITABLE in a modern safe language. You can still make the error, but the array write would be checked and would result in some kind of defined behavior (ie, an exception). This is true of buffer overflows as well.
Well then you should be responsible enough to tell you users they need to upgrade and/or to do it for them. It's not that difficult, my little brother and sister do it all the time for me in linux when I'm away. I just say type this and this and this and ttyl. Not very difficult. But truly, how many of them use SSH? I somehow don't buy that absolutely clueless people are using some like SSH. The two are mutually exclusive it would seem to me.
Derek Greene
The most important thing to realize is that when a machine is comprimised, it cannot be trusted. You may think that you were running only OpenSSH but you may have been runnning other services started a long time ago. I would be curious to know what kind of logs you had to go by to see what this attacker did. Slightly-smart ones clear every trace.
Also of note is that this particular advisory is known only to affect local users. I don't think this particular bug is the cause. It may have just been a friend shoulder-surfing.
If you want to do analysis on a cracked machine, you should place the hard disk into a different machine and examine the contents.
Actually, I don't care much about DOS "exploits", especially ones that require the attacker to expend resources to keep the attack up. It's pretty simple to flood my connection and make my computer unusable anyway.
In the case of SSHD, the situation you described wouldn't happen -- it spawns a new process for each connection, so an exception thrown in one wouldn't cause the others to be dropped. The attacker would merely be using up your resources.
A programmer in a modern language has plenty of choices, too. He can catch exceptions and restart the server. He can log them. And of course, the users are safe from being rooted until a patch is out.
Kerberos has been around since '88, opensource (MIT license). It is not developed at the breakneck pace of the more modern SSH and to my knowlege has had fewer exploit bugs in 14 years than the assembled flavors of (commercial *&* open) SSH have exhibited in the last 2 years.
Krb5 is not slick as SSH, you can't use it for a poor-man's VPN; it uses a more expensive cypher (3DES) for both auth and fully encyphered network connections. Rsh, rlogin rcp all available with strong encryption. It's not as easy to setup, nor well suited to very small networks but for my money where applicable it's a far more solid solution.
And yeah OpenSSH's seriously checkered security record has done very little to make me think of applying OpenBSD .. thoughts?
Linux is Linux, if One need clarify their dist: <Dist>/GNU Linux
bsds are of course just BSD
After analysis, I can say, that this vulnerability is 4 bytes heap overflow, VERY hard to exploit. Problably only Linux will be affected, because Doug Lea's malloc() depends on control structures located just after malloced buffer.
You may have had the best intentions, but in reality (by uploading untrusted SSH binarys) you are encouraging people to take stupid risks.
They're very trusted. I downloaded them from the vendor's site and built them myself. Anyone who trusts me (note the link to my homepage if you care to do research on myself or my company) can go download them. Anyone who has doubts can wait a week for their distro to put out updated RPMS.
I think anyone like yourself can be an armchair "security expert." Come up with something USEFUL yourself instead of whining at those of us who are trying to make life easier for others.
My poetry site welcomes the unusual.
MacOS X 10.1.3 (latest version as of now) includes OpenSSH 3.0.2p1. I wonder how long before Apple get a patch out... I don't really want to rebuild from source on MacOS X, even though it did only take 5mins to build 3.1p1 on my FreeBSD firewall.
If there were such a thing, it would use ucspi-tcp, not an additional inetd replacement, and like qmail. Ucspi-tcp provides functionality that inetd doesn't, and maintains the "connection handling" vs "services" separation that inetd provides. It is a natural step to replace parts which do not provide whatever is needed, and to reuse those parts.
Also, qmail's division of the jobs into multiple independant modules makes security analysis and improvement of the whole package much easier. Every module is completely and explicitly documented in man pages and numerous web pages, so even a less advanced programmer like me can write a wrapper for a module to add funcionality to. The risk of unexpected consequences is FAR lower because modules have their own UIDs.
If there's a good reason for it, why not do it?
In theory everything is possible, until someone demonstrates that possiblity in reality. OpenBSD is still right with her claim.
------ Curiosity killed the cat. {satisfaction brought it back | it didn't die ignorant | lack of it is killing mankind
How else are you going to do remote maintenance on it? What are you going to use for remote access to your stuff? You sure as hell don't want to use telnet.
(If you think you'll never need remote access, though, you can leave it out. As for me, I like the ability to tap into my home machines anywhere I can run SSH and VNC. I even have Win32 SSH and VNC clients on my webserver that I can download on a random Win32 box (even many public systems) to access my systems (both Linux and Win32) at home.)
20 January 2017: the End of an Error.
I just got the exact same thing compiling for OpenBSD 2.7. Yes I installed the patch first. Any ideas?
No, Thursday's out. How about never - is never good for you?
Over the course of my years of slashdot reading, I have noticed that while many are quick to point out interesting tidbits on the negative aspects of OS's, Software, and Hardware. While these reviews and notes are useful, it seems that nothing is as unbiased as it might seem.
MS exploits often announced on here (yes i like to know about them) and in this case open's dev team mistakes are also what I consider news, however I cannot remember the last time anybody pointed out the dangers of RedHat. While every new version of a linux distro is waved about with great expectations and cheer, other OS's are actually being analyzed for the bad as well as the good. I won't say that nobody posts unbiased articles, and I will even admit that if every stupid needless redhat exploit were listed on slashdot, RedHat would look as bad as Windows. Almost every OS and piece of network software has exploits, and very VERY few developers ever get it right the first time. I just wonder why it's so easy to see all of the mistakes for software that we may not (choose/want to) use while pretending all those dozens of RedHat exploits we had to patch never really were a problem.
Those who even bothered to reply to this newsworthy post with openbsd-bashing, are the ignorant monkeys of the open source community and have obviously never really compared UNIX's in the server world.
Those who bothered to reply to this stating that C is the wrong language to code in bring up minor points and expect the code that drives the internet to change. C is small cpu load and if it turns out buggy, it is the developers fault. But to expect software developers who write based upon existing libraries and code concepts they have developed over decades of work to stop and try writing their apps in an experimental (and YES, pretty damn potentially exploitable itself being so new) language is just silly. PHP is "a modern language" and was just recently found exploitable despite years of development in the PHP arena. IMAGINE the chaos if the development language that your OS/net apps were written in was found to be buggy? To date I have not had to download a new version of gcc and recompile my OS/kern/3rd party apps due to a "C vulnerability". Using experimental non-prooven ( 10 years?) languages for OS/kern/apps is a pretty stupid risk.
An unrestricted maniac runs around the streets, shooting people in the name of improving security because he aims to increase the public use of bullet-proof vests.
Alternatives to wearing bullet-proof vests:
1. Get your own fucking gun and shoot the SOB.
2. Armored vehicle.
3. Stay home.
Your analogy doesn't make sense. Finding a root-exploitable weakness in v1 isn't the same as developing an armor-piercing bullet.
The Daily Build
When they said OpenSSH I didn't think they were so serious...
But they are not listening to an externally accessible port, and thus are not REMOTELY COMPROMISABLE.
GPL'd web-based tradewars themed space game
If you think you can help, why not pitch in, instead of merely complaining? Your complaints, although valid, aren't of much use to anyone after the fact (and they do sound conceited and self-righteous, considering how little you've offered to the community, thusfar).
by Mike Buddha -- Someday the mountain might get him, but the law never will.
fyi:
cipher.c : 497 : structure has no member named `flags'
cipher.c : 497 : `EVP_CIPH_CBC_MODE' undeclared (first use in this function)
cipher.c : 497 : `EVP_CIPH_VARIABLE_LENGTH' undeclared (first use in this function)
cipher.c : 498 : `EVP_CIPH_ALWAYS_CALL_INIT' undeclared (first use in this function)
(sigh)
--
"It is now safe to switch off your computer."
Don't bet on it. A while back, for kicks, I checked to see who was bombarding what ports on my box with attempted hacks. A large portion of them came from 0wn3d Linux systems. I'm just glad that (a) I kept things patched (b) didn't have a default RedHat install and (c) had a MIPS processor that obfuscated any hole I didn't yet know about.
If you don't patch a potentially remote-root hole, it's not a case of "if". It's a case of "when" you'll be 0wn3d.
Oolite: Elite-like game. For Mac, Linux and Windows
This was a very strong distribution; I dislike the current requirement that I build the RPMs myself, especially for a major problem like this.
OpenBSD is still right with her claim.
I don't think so... IIRC there was a remote root exploit in ssh < 3.0p1 which caused me to update my systems, and now this.
Everyone knows that to iterative over an array of n elements, you do this: for(i = 0; i arraySize) { error(); } else { ... }
Reeeeeeeeeeally? In what language?
How can someone like you have the nerve to criticize the OpenSSH guys?! Missing '<' and '>' in such a critical spot! Jeez! It might be a common error to make, but I would think people trying to illustrate the incompetance of a talented security software coder making a minor mistake would constantly be thinking to themselves about the consequences of these kinds of trivial syntactic errors. It's also a real bonehead mistake. Everyone knows that you use & lt ; and & gt ; in HTML to get the '<' and '>' symbols. I'm sorry if this sounds conceited (that isn't my intention) but when I look at this I have an almost subconscious SCREAMING reaction. For whatever reason, the days when I made mistakes like this have come and gone -- whenever I use '<' or '>' to illustrate how stupid someone else is (when they're trying to illustrate how stupid someone else is) I always think about it, and I cannot imagine someone not thinking about what they are doing. Especially in a piece like this. How completely, and totally embarrassing for you, Briosa.
Well, for any attempt on my box from a machine where I could trace someone responsible, I'd email them. I often got "Thanks, yes we were owned" replies, or replies from sysadmins telling me "I told that idiot to secure his RedHat box three months ago" kind of thing.
Also, hack attempts from systems that have reverse DNS entries like "ns1.foo.com" or "smtp.bar.net" are almost certainly 0wn3d machines - it's unlikely that a legitimate user is using those boxes as hack-launch platforms. I got a surprisingly large number attempts on my box from machines like that.
Then there were the hundreds of Linux systems on RoadRunner, @home etc. which were more than likely 0wn3d boxes (because rr.com and @home tend to kick people off for hacking, so it's unlikely the box owner was aware of what was going on).
Some attacks were undoubtedly done by the machine owner, but a large volume really was from 0wn3d Linux and Solaris systems.
As for the MIPS system, it doesn't run Irix. It's Linux on a MIPS system - and therefore reasonably obscure. Don't get me wrong - I do take security very seriously and I upgraded OpenSSH on this box as well as on the Intel machine - you never know who's lurking out there looking for any chink in your armour. Most skript kiddie tools are aimed squarely at the ubiquitous - Linux on Intel (or AMD). That's not to say that there's NOT someone out there targetting Linux/MIPS, but there are many orders of magnitude of attacks aimed at the Intel boxes.
Oolite: Elite-like game. For Mac, Linux and Windows
This is not a local exploit. And didn't OpenBSD ship vulnerable SSH server implementations (with the CRC32 attack decompensator buffer overflow)?
This is not full disclosure. Details on how to exploit this vulnerability have not been released yet. In fact, I wouldn't have thought that this off-by-one error is exploitable.
Of course, this makes it more complicated to determine whether only authenticated users can exploit it. (I think so, because channel message processing starts only after authentication.)
Why does RH62 improve on all preceeding and following versions? Let me count the ways...
Lots of people have said that 2.2 was Linux's "sweet spot" and this revision is great for servers - the only thing it lacks is JFS and large files. I use SGI's XFS shim for RH71 for that (should try 72 one of these days).
If you feel this way, why are you using OpenSSH? Go with a closed source implementation where that's exactly what you'll get - no documentation, no posts, no exploit code. Also no updates, unless they feel like it.
Has anyone gotten openssh-3.1p1 to compile and run properly on Slackware 8.0? I got it to compile (with a HELL of a lot of warnings), but when it starts up, it refuses to accept my password.
Anyone seeing anything similar?
Intercarve Networks, LLC
We write such servers in C for one reason: speed. The users demand it. Java has too many resource requirements (CPU, memory) for ultra high traffic on a single uniprocessor box.
Besides the fact that Java is not the only modern language, I really don't care about "ultra high traffic". If my sshd gets two connections, I'm multitasking; three I've probably been hacked. I don't need it to be faster; I need it to be secure and simple to set up and admin. Maybe the big sites should be running something else, but probably 99% of the sites that run ssh don't get heavy ssh traffic. Those sites need to worry about being hacked more than they need to worry about that last 20% of sshd speed. (If sshd is taking up 39 seconds of cpu time over 8 weeks, then 20% is a second a week; for more security, it's a great tradeoff.)
For all the trouble we made in my computer science class in High School, that had to be the best thing to come out of it. The teacher decided that Off-by-one Errors were to be called OBOBs (think Oh Bob!) for Off By One Bug. I dunno, it just feels more personal... Maybe I should find something productive to do.
--Josh
There are exactly 42,935,718 letter sized sheets in a square mile.
You should read a letter than Linus wrote a few months ago.
sendmail is enabled by default, but listens only on loopback...
As an OpenBSD serveradmin running a number of co-located webservers, I can offer this advice:
v &m =101473993002531&w=2
Do not install OpenSSH 3.1 over OpenBSD 2.8 unless you desire intense pain, punishment, or peril.
I tried this, and immediately ran into error messages since my OpenSSL library was out of date. (OpenBSD 2.8 ships with OpenSSL 0.9.5a by default) Once I got a new version of OpenSSL built and installed, I tried to compile OpenSSH 3.1 again, but the end result would not allow password interactive logins for some odd reason. I spent a few hours working on this issue, which put some of my paying customers in a tough position as they were unable to access the server through SSH.
I finally gave up on the 3.1 release, and found the security patch for OpenSSH 3.0.2 issued by the kind folks at pine.nl (thank you!), which, when recompiled, worked flawlessly.
The only clue that I had as to the OpenSSL library version dependency was one short, obscure mail message on the openssl-unix-dev mailing list, at this URL:
http://marc.theaimsgroup.com/?l=openssh-unix-de
This is another example of some of the frustrating aspects of OpenBSD and the way it is maintained. This OS is well-written in general, but the documentation and help text for server admins is quite lacking. Nowhere on the OpenSSH webpage was there any mention of a version incompatibility with OpenBSD 2.8's default OpenSSL installation. Nowhere on the OpenBSD pages is there a quick, easy, simple set of steps that one can take to update just one's local source tree to the current version of OpenSSL as approved by the OpenBSD team.
(Yes, I know there are man-pages for CVS. I don't care to take the time to learn the entire set of command-line options, and in situations like this, it is far more useful to get clear, simple and relevant instructions for how to fix the latest hole before some script kiddie beats me to the punch and "0wnz" my server.)
I would also caution Slashdot readers not to automatically assume that OpenBSD is "secure by default" just because the development team says so. Smart server administrators will quickly realize that a number of things need to be closed up after the default install. However, this is still *BY FAR* more secure than other OS's, which is why I will continue to run OpenBSD. For now.
Regards,
support at doughmein dot net
Super ninja monkeys will one day rule the world!
(lines preceeded by ">" are command prompt lines)
;) )
:
/usr/src/redhat/RPMS/i386
: /usr/lib/libcrypto.so.0 /usr/lib/libssl.so.0 /usr/lib/libcrypto.so /usr/lib/libcrypto.so.0 /usr/lib/libssl.so /usr/lib/libssl.so.0
;)
Get the latest source rpm for openssl (I used : openssl-0.9.6-3.src.rpm). It can be obtained from rpmfind.net
Get the latest source rpm for openssh (3.1p1
as root, do
> rpm --rebuilbd openssl-0.9.6-3.src.rpm
and let the system build
> cd
> rpm -Uvh --nodeps openssl-*
the nodeps is because two files called
"/usr/lib/libcrypto.so.0" and "/usr/lib/libssl.so.0" (not owned by any
RPMs) need to be properly relinked.
In order to do so, please do
> rm -f
> rm -f
> ln -s
> ln -s
note that until you do the next line, you can not use "ssh"
anymore (mismatch between the openssl version used by the previous
openssh installation). Now to upgrade to the latest version of openssh
> rpm -Uvh openssh-*
note that files called "/etc/ssh/ssh_config.rpmnew" as well as
"/etc/ssh/sshd_config.rpmnew" will be created. They are the default
configuration files and will not replace your modified configuration
files
Hope this helps
-- Martial MICHEL
I really like to verify signatures on packages and tarballs when available, especially for tools like SSH. I've looked all over the place (including a couple public key servers) and haven't been able to find the signer's public key. Any ideas where it might be hiding?
slashdot broke my sig
*laugh* Cute.
"Moot point" is another phrase that often irks me, since so many people use it as if it meant "irrelevant" instead of (correctly) using it to mean "arguable either way."
*sigh*
-- MarkusQ
According to my dictionary (Oxford Concise English, 9th edition):
The abstract used a compound word as if it meant something that it did not, in a context where the dictionary meaning would have been valid but implausible. I infered that they had intended to use the correct phrase (according to the dictionary) and thus, as you note, had "gotten it wrong." That was my point.You claim that there is no right or wrong way to use the words, that it is "just a figure of speech".
I understand your point, but I dispute it. Thinking that because something is "only a figure of speech" it doesn't matter how you say it can, in many cases, lead people to miss your point. I can even think of a few figures of speech that, were you to alter them slightly, could get you slapped if you are lucky and kicked in the groin if you are not.
-- MarkusQ
Then what the hell good is their claim? Wow, yeah, there's no remote hole because we don't fucking enable anything that accepts remote connections. OpenBSD's claim is as empty as its feature set.
-A.P.
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
Related, but not directly. To protect from "stack smashing" techniques (buffer overflows), run your glibc apps with libsafe. It should detect, stomp out (i.e. abort()) and email you about overflow and out-of-bounds conditions by simply adding its path to the /etc/ld.so.preload file.
assert(expired(knowledge));
My MTA of choice these days is Courier, it's written by Sam Varshavchik (aka Mr. Sam) who at one point seemed to be a disciple of DJB, having written gobs of other software that goes with qmail maildirs. Courier is a complete mail server, not just a sendmail replacement. Built in POP3/IMAP both supporting SSL/TLS. Web and/or standard config file based administration. Supports LDAP, PgSQL, and MySQL for authentication. Mail Filtering, List management, and even a webmail server. Even group calendaring. Who needs anything else? It's all integrated so there's no obscure set of howto's to search for when you want to get an imap server or an LDAP authentication service running. Oh and it's GPL'd... something you can't even begin to say about DJB's bizzare pseudo-opensource license. It's had a quarter of a million downloads off SourceForge, that's gotta say something.
To be honest,that's a bunch of crap. You should always assume the lowest amount of trust in an application's security, especially applications of this nature. If they didn't tell me what was wrong, I wouldn't believe for a second that they fixed it.
Derek Greene
Yeah, and the hole is an error in doing it manually instead of leaving it to the compiler...
Claus
Does OpenBSD support FreeBSD's jail feature?
Could ssh be run in jail to minimize an exploit?
War crimes, torture, lies, illegal spying... Would someone give Bush a blowjob, already, so he can be impeached?
Ok, but that isn't a workstation, obviously.
-no broken link