New Vulnerabilities in Portable OpenSSH

An anonymous reader writes "The OpenSSH team has uncovered multiple exploitable vulnerabilities in the days-old portable release of OpenSSH. That's right folks: time to patch *again*. 3.7.1p2 is now available. Instructions and mirror list here. Please note that this vulnerability only affects *portable* OpenSSH--so if you are running OpenBSD, you're safe. This vulnerability apparently has to do with PAM, so you can use the 'UsePam no' option in your config file. Info on the advisory here and here."

Non-standard configuration

[grub]

From the article: At least one of these bugs is remotely exploitable (under a non-standard configuration, with privsep disabled)

Priviledge Separation saves the day again. I think this is a testament to the forward thinking of the OpenBSD and OpenSSH people: they know that human error introduces potentially exploitable bugs, hence the work that went into PrivSep to minimize the risk.

"The lengths some people will goto to try and damage Theo's pride" Most moronic submitter comment ever.

Re:Non-standard configuration

[rsmith-mac]

Yes, but what happens when PrivSep is exploited? It too is just like any other code: human written, and potentially weak. It's another layer of security that would have to be bypassed, but it's by no means the end of exploits in other code.

Re:Non-standard configuration

[Frymaster]

writers looking for a typewriter-with-memory would be better served by Notepad or the Mac equivalent.

your belt may fail
your suspenders may fail

if you're really serious about keeping your pants up, use both!

this is the theory of theo-n-the-openbsd-cats. you used priv sep plus all the other security goodies.

you don't say that doing nightly backups is a "weak" practice because the backups could fail at the same time as your main drive. do you?

Re:Non-standard configuration

Minimize the damage:

Become a nudist, and wear a ski-mask over your head.

Re:Non-standard configuration

[grub]

Having a small amount of the sshd code running as root with the 'sshd' user handling the rest helps make it harder for other exploits. I don't think anyone would suggest that PrivSep makes an exploit impossible, but it is another great layer on the security-onion.

Re:Non-standard configuration

When will the mods learn that grub is a troll. It is obvious he doesn't know what he's talking about. Anyone with a lick of creativity could have made up that post.

pr0pz grub, you're good at what you do

Re:Non-standard configuration

troll? there was no goatse.cx link, no blacklungs link, no "RMS is gay" comment...

Re:Non-standard configuration

[gl4ss]

i just have a bigger belly now than when i bought my pants, works excellently.

sure my ass might flash sometime but we all know how easy it is to disable annoying flash ads.

Re:Non-standard configuration

[kfg]

"if you're really serious about keeping your pants up, use both!"

But if you're really, really serious you'll take care that your hips don't disappear.

Hard for some hackers, I know, but worth it in the pants security field.

If you're a kilt sort of guy all bets are off though, seeing as they lack any sort of basic security to begin with.

KFG

Re:Non-standard configuration

Yeah, well, it didn't save the day last week.

Re:Non-standard configuration

[Oestergaard]

Unfortunately, privilege separation does not work with with OPIE, the one-time password system.

So either you run privsep, or you run OTP.

Without OTP, you'd be crazy to log on to your ssh box from anything but a trusted terminal (e.g. your office workstation or your personal laptop). Without OTP, you cannot log on from a net cafe or anything like that, if you're just slightly security concious.

So I'm stuck with privsep and no OTP on some machines, and OTP without privsep on another (which I need to be able to log on to from untrusted terminals).

It sucks, but it's the best we have for now, it seems.

I do look forward to finally getting that 2.6 SELinux toy box set up ;)

Re:Non-standard configuration

[TCM]

Unfortunately, privilege separation does not work with with OPIE, the one-time password system.

Care to explain why I just logged into OpenSSH_3.4 NetBSD_Secure_Shell-20030917 using OTP and privsep? Does it affect newer versions only?

Re:Non-standard configuration

[Zork+the+Almighty]

but worth it in the pants security field.

LMAO

Re:Non-standard configuration

Actually, only doing nightly backups can be "weak" for certain applications, such as bank transaction logs which can not afford a single second of data loss. That's what "bullet-proof" enterprise solutions combining RAID, clustering, and hot swappable/redundant hardware are for.

Re:Non-standard configuration

[Oestergaard]

Interesting.

Is that using PAM?

My box is on Debian 3.0 - the explanation I saw at that time was that the combination of PAM and the extra OPIE password query wouldn't work with privsep because of some too simplified assumptions in SSH/privsep about what would be asked by the system and what would be submitted by the user.

Or something like that. I set it up half a year ago and to be honest I don't remember the details - I just remember that at that time OPIE+privsep was a no-go, at least on a Debian box with PAM.

It sounded like it was something that could be fixed fairly easily - I was lazy and didn't bother to try doing that myself, and just went with no privsep to get a working setup. I suppose someone could have fixed whatever the problem was, in the mean time. Or maybe the problem somehow exists on Debian and not on NetBSD - I'm sure there is a reasonable explanation somewhere ;)

Thanks for letting me know. I should check up on it.

Re:Non-standard configuration

[pVoid]

Priviledge Escalation is a cornerstone of security. It's not that forward thinking as you think. Maybe the implementation is, but the idea isn't.

If you've ever heard about the STRIDE threat model, the E stands for Escalation of priviledge.

fyi, STRIDE stands for:

Spoofing

Tampering

Repudiation

Info Disclosure

Denial of Service

Elevation of Privilege

Mind you, I'm not bad mouthing OpenSSH.

Re:Non-standard configuration

[TCM]

I wasn't considering PAM since NetBSD doesn't come with it by default and your remark about the incompatibility OTPprivsep didn't include PAM.

Never mind.

Re:Non-standard configuration

I was on holiday when the last vulnerability struck. Someone tried to break in to our unpatched server, but failed. SSH failed to stop the attempt. PrivSep failed to stop the attempt. Grsecurity utterly thwarted the intruder's numerous attempts. Much to his chagrin, I imagine.
Every bit of security helps.

Re:Non-standard configuration

[richie2000]

And remember to keep a pair of emergency pants around at all times.

Re:Non-standard configuration

[Oestergaard]

Ok, I suppose that's a pretty good explanation.

Thanks for the info.

Re:Non-standard configuration

[Tuck]

Ironically, fixing exactly that problem is what the new PAM code was about. Instead of always assuming PAM is asking for a password, the new PAM code introduced in OpenSSH 3.7 uses SSH2's keyboard-interactive authentication (or TIS challenge-response for SSH1) to hold a proper "conversation" with the user before authenticating them.

hmm

[tedtimmons]

Who is pam, and what did she have to do with openssh?

-ted

Re:hmm

[r_j_prahad]

Pam was my ex-wife. She was pluggable by too many.

Re:hmm

I exploited all of here holes.

Re:hmm

PluggableAnalMistress .com

Re:hmm

maybe if you had a sense of humor you wouldn't be such a !@#$. What did mommy take away your X-Box ?

Re:hmm

[Jugalator]

Another great web site from VeriSign? :P

Re:hmm

[TedCheshireAcad]

Well, apparently there wasn't much Privilege Separation going on, or you would never have found out.

Re:hmm

yea she did, it was too big to fit in our house so she had to take it back to the store

Re:hmm

[un4given]

Pam was my ex-wife. She was pluggable by too many.

Yes, sorry about that. I discovered an exploit when I inserted a 'long' into a 'short' buffer in PAM's module...

Re:hmm

[TheLink]

Did you fork a child process too?

Re:hmm

Forking children can get you thrown in jail in most places, I would guess.

A solution?

[gpinzone]

This vulnerability apparently has to do with PAM, so you can use the 'UsePam no' option in your config file.

Wouldn't that prevent anyone from loging-in? I guess that's a solution. Why not disconnect the network cable, too?

Re:A solution?

[Asgard]

Disabling PAM would only be a problem if you had only allowed PAM-specific authentication methods.

Re:A solution?

This vulnerability apparently has to do with PAM, so you can use the 'UsePam no' option in your config file.

Wouldn't that prevent anyone from loging-in? I guess that's a solution. Why not disconnect the network cable, too?

Not everyone uses PAM for user authentication, you idiot.

Re:A solution?

[Corgha]

The PAM support in that version of portable OpenSSH is broken, anyway. They ripped the old PAM support out and replaced it with something half-done.

That's why I backported the security patches, instead of upgrading. Now I'm glad that I did.

Re:A solution?

Yeah but the people who don't already say "UsePAM no", you idiot.

Re:A solution?

No, you're the idiot. Idiot.

Re:A solution?

Shut up, idiot. You're such an idiot, idiot.

Re:A solution?

You idiot. It doesn't take an idiot's idiot to figure out that you're such an idiot. Idiot.

Re:A solution?

[gpinzone]

Yeah, but, uh...let's say you do use PAM? I suppose you could change your network to use a different authentication method. Sounds a little like the tail wagging the dog.

Re:A solution?

You're all idiots, idiots.

Re:A solution?

Please clarify! I'm using the new openssh and the PAM support works fine for me (pam_securid and pam_listfile). You seem to be FUDding.

Re:A solution?

[Corgha]

Well, I haven't had time to trace it down entirely, nor will I in the near future, but it doesn't surprise me that those modules would work fine, as one is a session module and the other is, I think, an interactive one.

However, you used to be able to use PAM for plain-old password authentication with authmethod password, and they seem to have just ripped support for that out in auth-passwd.c.

Now, I may have sort of a weird setup, but when things worked in all the previous versions, something stops working suddenly in a new version, and you see that they re-wrote that part of the code, well, it's not too much of a leap to think that the re-write introduced some problems.

Nor does it seem like FUD when that re-write demonstrably introduced another flaw (the subject of this /. story).

Patch for x86_64?

Ive just bought A A64-FX with Debian/FX 3.2 today. When can i apt-get the patch?

Re:Patch for x86_64?

Patch available here. :)

Time for a new spin on security practices?

Maybe the OSS community needs a Trustworthy Computing initiative =]

Re:Time for a new spin on security practices?

[jbottero]

OpenSSH... A Microsoft product, right? Oppss... Forgot, one can not criticize open source on the same standards we hold "M$" to...

Re:Time for a new spin on security practices?

[rajafarian]

Why not??? From my experience using Linux I would say that is totally the opposite. Linux programmers seem to hold themselves to the highest standards of programming and nothing but the best and most secure is good enough (isn't that where Linux is going?), Microsoft or not.

Re:Time for a new spin on security practices?

[ninewands]

OpenSSH... A Microsoft product, right? Oppss... Forgot, one can not criticize open source on the same standards we hold "M$"

Well, yes, we should hold them both to the same standard ... so when Microsoft starts announcing it's own self-discovered vulnerabilities and releasing Day-Zero patches to fix them I will be just as critical of OpenSSH security as I am of Windows *cough*security*cough*.

Re:Time for a new spin on security practices?

[jbottero]

Sorry, should have used the tags. My point is, everytime Microsoft / Big Business has a security issue (and there are LOTS), they get just a little different treatment verses security issues with "open source". Please don't try to go down the road that "open source" has less security issues / patches, statistacally, that's a load of shit.

But, like you said, good programming habbits are not exclusive.

Re:Time for a new spin on security practices?

Did you happen to see the front-page article from yesterday regarding linux crypto applications 1) sucking ass 2) not being fixed when politely told of their shortcomings?

Re:Time for a new spin on security practices?

[jbottero]

HOW DARE you bring up flaws in Open Source software. But on a more serious note, the items discussed yesterday were either no longer being supported by their keepers, or damn close to it.... Not sure that using obsolete projects to make a point is valid...

Re:Time for a new spin on security practices?

[Digital+Dharma]

Actually, I thought they did. In all the big press cases in the last couple of years a patch has always been available for quite some time before the exploit became public. Think Code Red, Slammer, Blaster, etc. Microsoft does keep it's code pretty solid and secure. Unfortunately there are a lot of paper MCSEs and other unqualified people proclaiming to be administrators out there who wouldn't know how to secure a system if BillG was standing in the room with them telling them how to do it. Microsoft gets a bad rap because of this, but I think there will come a time when all of the OSS communities' huffing and puffing about how insecure MS is and how secure their distro of UberNix 12.x is will eventually come back to bite them in the ass. Business Development departments do pay attention to this sort of stuff, and if they ever get the sense that MS and *nix are pretty much on even ground (which they are. I've played with both for years and I can't really see any differences) They'll opt for MS every time because it's familiar and proven. All bias remarks aside, it really is.

Re:Time for a new spin on security practices?

[ajs]

Bravo! I'm glad someone is paying attention to this. Just because we happen to have a community that expects the patch to be available 20 seconds before the first person finds it is no reason to measure Linux and Windows on different yard-sticks. If the OpenSSH team can get a patch to vendors and vendors release a fix within a day or two, then that's what we should expect from Windows. And when Windows doesn't keep to that standard, we should all wonder why.

Re:Time for a new spin on security practices?

[evought]

Also, notice that this is a problem which *may* be remotely exploitable in a *non-standard configuration*, when certain default security measures have been *disabled by the user*.
This is not in the same league as "Oops, we left the RPC port open and rootable by default."

The class of errors being fixed by OpenSSH is very different and the design takes security much more seriously.

Re:Time for a new spin on security practices?

[Short+Circuit]

Open Source has less SEVERE security issues, because of how many patches are made available. Issues in Open Source software tend to be patched quicker than in closed software.

Open Source and UNIX-like environments are an even better combination. With Microsoft, it seems as though every time you patch, something else gets broken. (This is especially true with service packs to Windows and Visual Studio.) With UNIX environments and their separation of tasks into different programs, patching OpenSSH isn't going to bork XFree86.

Re:Time for a new spin on security practices?

[jbottero]

Open Source has less SEVERE security issues, because of how many patches are made available. Issues in Open Source software tend to be patched quicker than in closed software.

The very NUMBER of patches that MS issues shows this statement to be false. Microsoft issues TONS of patches, most before or shortly the vulnerability becomes known. Sorry, but these is the facts!

With Microsoft, it seems as though every time you patch, something else gets broken.Sure, dependencies can be an issue. But saying that upgrading and patching *nix platforms does not produce any mind-numbing dependency issues is simply a self delusion.

Re:Time for a new spin on security practices?

[tshak]

when Microsoft starts announcing it's own self-discovered vulnerabilities and releasing Day-Zero patches to fix them

They will once the OSS community start providing 0-day enterprise quality patches that actually get regression tested before being installed on mission critical servers. MS may have a few poorly tested patches in its relatively distant history, but MS still puts its patches through far more testing than most OSS patches are put through when released. Testing takes time, period.

Re:Time for a new spin on security practices?

Woooo!! I am flying the enterprise!!! ENGAGE !

Re:Time for a new spin on security practices?

[berzerke]

...Forgot, one can not criticize open source on the same standards we hold "M$" to...

Except you forgot two big differences. One, Openssh is free (legally). M$ charges (or tries to) for every copy. With some of M$ site licenses, you even have to pay for copies you aren't using and couldn't use. Second, this problem is only exploitable in the very newest version, and then only if you deliberately turn off some options. By default, you're pretty safe.

The standards are different because one is apples and the other is oranges.

Re:Time for a new spin on security practices?

[ComputerSlicer23]

Not to burst your bubble or anything, but I'm willing to bet the time differential between when the Copyright owner of the code knows about the problem, and when the patch is released, is much larger with Microsoft then with Open Source. There are several well documented cases where Microsoft sat on their hands rather then fix a known bug, so people finally started going public with them. That's when Microsoft started fixing them. They now attempt to have people keep quiet about them, until after they release a patch. That's a whole different thing then when the holes are annouced to the public.

On the last OpenBSD issue, I think the total time between the issue being told the the guys at OpenSSH, and the fix coming out, was measured in single digit number of hours. I can be reasonably sure that doesn't happen at Microsoft.

Finally, in my experince, on a RedHat Linux machine, there is almost nothing I've upgraded in the last 3 years that was a security fix. Never, not a single one, in applying every update that RedHat has put out for 3 years for 6.2, 7.0, 7.1, 7.2, 7.3, 8.0, 9.0. I can't recall the number of people I knew who didn't apply Security Packs for NT 4.0 because they fundamentally broke other critical pieces of software (Anything past NT4.0 SP1, broke the version of Netscape Server a former employer used to use, so they never did upgrade any of the fixes past SP1 for the longest time). That's because security fixes, only fix the security problem. A lot of MS patches fix a dozen security problems, and then add a lot of functionality. That's really nice to make the compact and all. I wasn't ever a big user of individual hot fixes, which might have gotten me to work around this issue.

Now upgrading to get new functionality has screwed up a couple of machines. However, assuming you can reboot the machine, there is almost nothing that has given me problems when upgrading a RedHat machine. I know that I had trouble with a couple of PAM modules not getting reset, but that was because I wasn't trying hard enough to restart the services (they held onto the shared libraries that we're insecure, and I didn't restart them all). It's not that they didn't work, they just were not secure until I re-booted the machine.

Most of the truely horrific dependencies I've heard of out of UNIX upgrades come from SUN, most of those it's my understanding, that they essentially, are upgraded inplace, while running. That's not something a sane person tries to do. However, SUN hardware and software is special. They do a pretty good job, but the dependencies are tricky (even more so when there are patches that once installed, can never be uninstalled).

The vulnerablity going public, and the worms that exploit them months after the patches are a reflection of the users and admins of the machines, not of the software writers themselves. You can find numskulls who run RedHat or Windows with ease. My guess is that as a percentage more numskulls run Windows then RedHat, but I think that's because Windows users/admins are a significantly larger group. To run RedHat isn't done by the average home users. If RedHat shipped by default on as many machines, that statement would flip flop, and RedHat would have a higher percentage of clueless users.

Kirby

Re:Time for a new spin on security practices?

[Short+Circuit]

Sure, dependencies can be an issue. But saying that upgrading and patching *nix platforms does not produce any mind-numbing dependency issues is simply a self delusion.

I used to run Debian Woody (stable). At the cost of not getting the latest features, I got all the stability I could ask for, with all of the security patches backported. Now I run Debian Sid (unstable), which tends to have dependency problems, but I at least have control over them. And if worse comes to worst, I can install the patches personally.

Re:Time for a new spin on security practices?

I can appreciate your point on this subject. Its also worth noting that RedHat, for example, isn't vulnerable to this second issue exactly because they didn't go releasing the very latest version 3.7p1/3.7.1p1 for just this kind of possible outcome. Enterprise users do get more secure treatment than the early adopters do.

Microsoft throws millions at 'trustworthy computing' (of the billions they reap from software sales), and still the comparison is "neck-and-neck" with a bunch of hackers mostly working for kindness and the respect of their peers when it comes to this matter?

Its kind of funny that this is even possible to be the way it is.

Freeloaders like me are or should be proud to BE the regression test, if it means that one less suit-n-tie, fish-egg-on-toast-eating, glorified used car sales person (I'm jaded and cynical, but I'm no sexist ;-), stuffing the profits down the pie hole, who's eating up what could have been some working stiff's raise or continued employment this year, instead has to settle for cheese-wiz on Ritz like the rest of us.

I mean no offense to the non "anonymous coward" parent poster. Your's is a very valid comment. I'm just as I said: jaded. Thanks for putting up with me *-O!O-*

ps: Are you counting 824146 and the first RPC patch as separate patches or a patch that fixed issues not addressed by the first one?

Relativity is in the eye of the beholder. Or maybe I'm just mixing Einstein and poetry in the brain again. damn.

Re:Time for a new spin on security practices?

[ncr53c8xx]

They will once the OSS community start providing 0-day enterprise quality patches that actually get regression tested before being installed on mission critical servers. MS may have a few poorly tested patches in its relatively distant history, but MS still puts its patches through far more testing than most OSS patches are put through when released. Testing takes time, period.

Do you have any facts to back this up? I know they have a large beta testing program, but I don't know of any for patches. Unless they are able to test it with a wide variety of software configurations in-house, their regression testing would be ineffective. And the amount of errors tells the whole tale, talk about "Enterprise" quality notwithstanding.

Re:Time for a new spin on security practices?

[jbottero]

First, I don't run nor use Microsoft products in my network, though it has to do not only with shitty MS software but also pricing and flexibility of the platform to use non MS apps, as well.

But I think al lot of this gets tossed around as the Gospel with nothing more than antidotes back it up:

...but I'm willing to bet the time differential between when the Copyright owner of the code knows about the problem, and when the patch is released, is much larger with Microsoft then with Open Source...

Yes, and Microsoft followers will be willing to bet the opposite, so what.

Finally, in my experience, on a Red Hat Linux machine, there is almost nothing I've upgraded in the last 3 years that was a security fix.

You made no security upgrades to your RH box in 3 years? Is it attached to the Internet? Please post your domain name and IP (be nice and tell us both the internal and external IP... After all, you have nothing to fear, right?), I'm sure there are some more devious types around here who would be able to show you some things

The fact is, *nix, and Linux in particular, and Open Source in general just do not get the same level heat for the same level of security fuck-ups. This dishonesty, in turn, colors the way a lot of the corporate suits look at Linux / Open Source ("it's backed up by a bunch of delusional religious zealots"), and this is why until the Open Source movement is more honest about the nature of software flaws, Open Source will never be embraced by corporate business.

My guess is that as a percentage more numskulls run Windows then Red Hat, but I think that's because Windows users/admins are a significantly larger group. To run Red Hat isn't done by the average home users. If Red Hat shipped by default on as many machines, that statement would flip flop, and Red Hat would have a higher percentage of clueless users.

Exactly. And in this respect, if Open Source wants to be accepted by a larger percentage of commercial MS users, they need to do a lot better at PR, rather than frothing at Darl et al.

Re:Time for a new spin on security practices?

[ComputerSlicer23]

Sorry, I edited that sentence one too many times. I knew what it was supposed to say. In the 3 years, no security fix ever, ever lead to an actual upgrade problem. If it was a security fix, you type rpm -Uhv foo.rpm, and the worst case was you had to reboot to get it to take affect (glibc, pam, upgrades to other libraries used by long running processes, or kernel upgrades). Best case, you we're done after tying the command. I've seen lots of cases where Microsoft upgrades do in fact break other software.

If Microsoft wants to argue the other way, I'll happily take that bet. There are easy to find documented cases of bugs that went years, and years. Now that they are more security aware. Microsoft says publically, that it takes them on the order of a week in order to release a bug patch (so they can do all the testing they want). They claim they can't release a patch in less then about a week, and that's why they request that after you tell them, you don't go public with an exploit in less then 30 days. That's also to get people time to patch there servers. However, Microsoft cannot honestly claim they release a patch in less then 24 hours. It's part of their anti-public disclosure argument that isn't the case. Thanks, for playing.

The truth is, that the reason Unix doesn't catch as much heat as MS products, is that when MS has a security problem, the entire Internet has a serious problem as a rule. I still get 50-100 e-mails about viruses. My mail server is still slow because of it. Some sites seem slow when the security worms are moving around. It has pretty nasty splash damage. Where as Linux problems aren't like that (probably due to critical mass).

Finally, the one thing I truely like about OS security fixes, is that I can evaluate what it is thats going on, and come up with several possible fixes myself, because I have full information. With MS, I can either patch, or turn it off. Possible firewall it from the outside.

At Microsoft, I'll bet the security memo can't move from the people who handle possible security alerts to the coders who write the software in less 6 hours. It's a major multi-national corporation, information just doesn't move that quickly in an institution that large. They are a buercratic company with what 50,000 employees. They aren't as nimble as a core group of 5-10 guys with their e-mail address in the source you used to build the binaries.

Kirby

Re:Time for a new spin on security practices?

[lone_marauder]

They will once the OSS community start providing 0-day enterprise quality patches that actually get regression tested before being installed on mission critical servers.

Yes, because Microsoft patches have never been known to crash a server and/or fry data.

We need an astroturf moderation option.

Re:Time for a new spin on security practices?

You will notice that the apparent post aknowledges the fact that MS does have some history of bad patches. This doesn't negate t he fact that most patches are not put through rigorous testing.

Re:Time for a new spin on security practices?

[bytebucket_1024]

bottom line, MS isn't the only one with vulnerabilities in their code and this isn't something the open source community seems aware of at times.

I don't understand

[doggkruse]

Portable SSH? is that the version that is portable to OS X or portable to what? What is the difference between portable ssh and not portable?

Re:I don't understand

[SwansonMarpalum]

Portable OpenSSH refers to OpenSSH running on some system which is not OpenBSD

Re:I don't understand

Portable to other things than the OS it was written for -- OpenBSD.

Re:I don't understand

[Rosyna]

If you are wondering about OS X vulnerability... no. It is not affected. It uses OpenSSH 3.4p1 with the CAN-2003-0693 patch. These only seem to affect versions 3.7p1 and 3.7.1p1

Re:I don't understand

[Compenguin]

From the portable openssh website:
"Normal OpenSSH development produces a very small, secure, and easy to maintain version for the OpenBSD project. The OpenSSH Portability Team takes that pure version and adds portability code so that OpenSSH can run on many other operating systems (Unfortunately, in particular since OpenSSH does authentication, it runs into a *lot* of differences between Unix operating systems)."

Re:I don't understand

[SirPrize]

From the OpenSSH website: "OpenSSH is primarily developed by the OpenBSD Project," ... "Managing the distribution of OpenSSH is split into two teams. One team does strictly OpenBSD-based development, aiming to produce code that is as clean, simple, and secure as possible. " ... " The other team then takes the clean version and makes it portable, by adding the portability "goop" so that it will run on many operating systems (these are known as the p releases, and named like "OpenSSH 3.7.1p1"). "

Re:I don't understand

[V.+Mole]

OpenSSH is OpenBSD specific. "Portable SSH" is what everybody else uses. In other words, the OpenBSD developers (quite reasonably) don't spend any effort making SSH portable off of OpenBSD, and sometimes use OpenBSD specific functions. Other people then spend the time/effort to make run on Linux, etc. There are features (such as, presumably, PAM support) that are not in the core OpenBSD version.

Re:I don't understand

[UnderScan]

From Portable OpenSSH

Normal OpenSSH development produces a very small, secure, and easy to maintain version for the OpenBSD project. The OpenSSH Portability Team takes that pure version and adds portability code so that OpenSSH can run on many other operating systems (Unfortunately, in particular since OpenSSH does authentication, it runs into a *lot* of differences between Unix operating systems). ...

Re:I don't understand

Not exactly true. The 'other-people' who add the 'portability goop' are still by and large OpenBSD developers. They just don't complicate the initial design and programming with the portability goop, but add it on later.

Re:I don't understand

Not "Portable SSH". It's "Portable OpenSSH".

Reasons not to use PAM

1. It's bug-riddled
2. It's got a girls name
3. .....
4. Profit!

Or something like that.

... I got a strange feeling thus ...

... I'll wait for 3.7.2 ...

Good Times

[FrozenDownload]

Ahh, the joys of another afternoon spent patching boxes. I guess it is better than waiting for a vendor to come up with a patched binary package.

Re:Good Times

[satch89450]

Ahh, the joys of another afternoon spent patching boxes. I guess it is better than waiting for a vendor to come up with a patched binary package.

When I heard there was a second patched version last week, I said to myself that these things come in threes, and that I would wait for "the next round." So much for updating 50 boxes more than once.

Will the third time be the charm, or should I avoid being on the bleeding edge and wait for next week's discoveries?

(At least it isn't like the Microsoft patches, which come at less frequent intervals and usually do more damage to my apps than the protection is worth. -- Obligatory Microsoft Bash)

Re:Good Times

[holzp]

I totally agree, let me have the IP range of your boxes and I'll let you know when the next exploit comes out.

Re:Good Times

[satch89450]

I totally agree, let me have the IP range of your boxes and I'll let you know when the next exploit comes out

I doubt you are on the IP ranges from which we allow SSH connections, so even though the exploit is there the nice folks across both ponds are going to have an, er, interesting time gaining access. IPTABLES is your friend...

Hey, security is so tight that I have to make three hops to get onto one of our systems from the "outside" -- which makes remote administration interesting.

PAM is not in by default

Before we all panic, note that PAM is not in the default build.

It's also not in slackware builds (thanks Patrick).

Re:PAM is not in by default

[DA-MAN]

Newsflash genius, most people don't use slackware. In addition not having pam normally is not something to be proud of!

Re:PAM is not in by default

[volkerdi]

Newsflash genius, most people don't use slackware.

Most people use Windows.

In addition not having pam normally is not something to be proud of!

No, normally it is. A quick glace through the BugTraq archives will show how often there are vulnerabilities having something to do with PAM. By comparision, sendmail looks mighty bug free.

Re:PAM is not in by default

[TedCheshireAcad]

It's also not in slackware builds

...like everything else?

Re:PAM is not in by default

Newsflash genius, most people don't use Linux.

Re:PAM is not in by default

[Alan+Hicks]

Wanted to throw my two-cents in. This is the second time in as many years that Slackware has been immune to a vulnerability in SSH that involved PAM. Since the majority of users don't need or use PAM, deciding not to include it is a good decision. Thanks Pat, and for what it's worth, I can't wait for 9.1.

Re:PAM is not in by default

I have _yet_ any my, many, many years of using slackware said to myself, "gee.. I wish they'd went with PAM".

Just think about that as you upgrade your redhate box.

Slackware has been, and continues to be, my favorite Linux distro. Stablity, security and usablity.. It's a good thing. Plus, I'll take patches from slackware over RPM's anyday!

Re:PAM is not in by default

[proxima]

Just think about that as you upgrade your redhate box.
Of course, as others have pointed out, Red Hat intelligently backported fixes to 3.1 (RH 7.x), 3.4, and 3.5, and they are not vulnerable to this issue, at least according to Red Hat.

Course, I run Debian at home so upgrades are easy and fast.

JEBUS

[tempest303]

This is getting ridiculous. Maybe it's time for OpenSSH development to completely halt for the moment, and do some serious auditing? This is just plain sad... I know people have been joking about switching to lsh, but at a current "score" of 3 to 1, I'm starting to consider it, at least for the time being... :-/

Re:JEBUS

Sure, go ahead I'm sure you'll be a lot better off!

http://www.securityfocus.com/archive/1/338354/20 03 -09-20/2003-09-26/0

Re:JEBUS

[Kalzus]

Arguably, this announcement *is* the result of an increase in code vetting on the part of the portable OpenSSH team. Just a thought.

Re:JEBUS

[tempest303]

RTFP: like I said, the "current score" of recent vulnerabilities of ssh vs lsh is 3 to 1. I was accounting for that vulnerability already. :P

Re:JEBUS

Two theoretical exploits and one potentially real one, vs a root exploit in your bugtraq inbox?
And you'd rather they waited until they'd audited the entire code a few hundred times until they sent out patches?
Moron.

Re:JEBUS

[tempest303]

Possibly. Perhaps I'm ignorant on the topic, but with auditing, shouldn't they put the vulnerability reports on hold for a short time, especially when there's so many in a row, and just do a sort of "service pack" upgrade?

Maybe there is no answer, I don't know. At least they get the patches out quickly.

Re:JEBUS

[damiam]

IIRC, it's 2 to 1, not 3 to 1. Also, both OpenSSH vulns were/are quite difficult to exploit, while the lsh vuln had an exploit linked form the Slashdot front page.

Re:JEBUS

[Corgha]

On the contrary, arguably, this announcement is the result of 3.7p1 and 3.7.1p1 being rushed out the door with new, unvetted PAM code.

That's why it doesn't affect earlier versions.

Re:JEBUS

[pmz]

This is getting ridiculous.

Why? Do you know of a tool that provides more milage than OpenSSH while providing pretty darn good security?

Pretty darn good is all we should ask for, anyway, because near-perfect security requires network isolation and those MAC things people bitch about so much.

Re:JEBUS

If you find a problem, you get the fix out there as soon as possible just in case someone else found the same thing. If people, knowing full well that the defect has been found, are willing to wait several releases before upgrading, it is their decision, not yours.

Open source developers shouldn't care about the marketing concequences of frequent bug fixes. They should be more concerned about letting security related bugs stay unpatched.

Re:JEBUS

Perhaps I'm ignorant on the topic
Don't let that stop you from posting, this IS slashdot after all.

Re:JEBUS

[Ed+Avis]

One of the principles behind OpenBSD (and therefore OpenSSH) is full disclosure of security vulnerability. They don't want to lie about how secure the software is or try to conceal things from you. Therefore the vulnerability reports (and fixes) are published as soon as possible. In practice, I think they do wait to have a patched version before announcing the bug.

Re:JEBUS

[Aadain2001]

So... you would rather they NOT annouce that they have found another *possible* exploit and just let it sit there until regular users find them and call for their blood after being exploited? I'd rather have them do the smaller releases like this because it is quicker to examin and see what is being changed, which means Redhat (my distro) will have updated rpm on up2date in about 10 minutes.

Re:JEBUS

[JoeBuck]

No, the vulnerabilities are due to new code in 3.7; the Red Hat and Debian people who backported only the security fixes to older OpenSSH versions are safe. They are not old vulnerabilities that were discovered by an increase in code vetting.

Re:JEBUS

So why didn't you help the developers instead of whining on slashdot? The PAM code has been in the development tree for *months*. Why is it that people who complain the loudest always do the least to help out?

Re:JEBUS

The flaw was _found_ by the OpenSSH team. It wasn't a latest warez thing, because they _found_ it and _fixed_ it. They _did_ audit there code. Read a bit before posting. Yesh.

Re:JEBUS

[Corgha]

Nice troll. If the developers decide to re-write openssh from scratch, am I suddenly obligated to audit their development tree?

Apparently, if I don't do so, then I am not allowed to point out the flaw in someone's post when they say that a bug found in newly-released code is the result of increased auditing by the developers.

Nobody is allowed to say anything about openssh unless they audit all the code!

Speaking of which, why didn't *you* find this bug while it was still in the development tree? Why didn't you help the developers instead of trolling on slashdot? The PAM code has been in the development tree for *months*. Why is it that people who complain the loudest always do the least to help out?

Lemonparty!

[anonymous@coward home]$ ssh -V
OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090702

Re:Lemonparty!

[anonymous@coward src]$ ssh -v
OpenSSH_3.2p1 root_me_now_build, SSH protocols 1.5/2.0, OpenSSL 0x0090701f

Re:Lemonparty!

[anonymous@coward home]$ ssh -V
OpenSSH_3.5p1, SSH protocols 1.5/2.0, OpenSSL 0x0090701f

Re:Lemonparty!

[anonymous@coward home]$ ssh -V
ssh : Command not found.

You should switch to \/\/ind0w5!

Because you can have it notify you and update all these things automatically and not even worry about any of this stuff. It's real simple, too. All you do it check "automatic updates" and it works! Then there are no more problems. No worms. No exploits. Your box is secure. 4m4zin6!

Re:A better solution

What, you mean the same lsh that was just exploited two days ago?

Frankly, I think you'd have better luck searching the web for 'ssh'.

Just like MS then.

[clard11]

So how is this different to MS having multiple attempts to resolve their security bugs ? I don't see a difference. Doesn't this prove that closed or OSS, security code is a difficult software engineering challange ? Maybe slashdotters should cut MS some slack in this area.

Re:Just like MS then.

Yeah because the OpenBSD developers have an illegal monopoly on Operating Systems? This is an application vuln, when Microsoft bundle MediaPlayer, Explorer and friends as a way of leveredging their monopoly they sure as hell deserve everything they get for shipping sloppy code.

Re:Just like MS then.

[clard11]

I'm not defending MS monopolistic position, and I look forward to a day when Linux desktops are the standard. I just think we should be a little humble about the difficulties involved.

Re:Just like MS then.

[BlowChunx]

It is different because they (the OpenSSH team) announce bugs when they find them, not once a week.

And you definitely won't get a spoofed email purporting to be from the OpenSSH guys to apply a "patch" that infects your machine!

Re:Just like MS then.

[clard11]

...but in a linux desktop future you think the worm, trojan and virus writers are going to give up and go home with their tails between their legs ? I don't think so dude. And it's not a great leap to imagine a spoofed email from RedHat arriving in your inbox.

Re:Just like MS then.

[phliar]

With MS, they're gaping holes that we hear about because the worm actually did do the damage. The bugfixes for OpenSSH are all questions about bugs being found by reading the code, and nonstandard installations -- not known compromises. The speed with which security issues are handled is also much better than anything those yahoos ever do.

Re:Just like MS then.

[alizard]

So how is this different to MS having multiple attempts to resolve their security bugs ? I don't see a difference.

The difference is that the OpenSSH people found the problem themselves and announced the fix with the problem. While the MS people do this, they usually wait until there's egg all over their face. The MS people also have a few billion more dollars to work with. You can buy a lot of code auditing with a few billion dollars. Well, you or I could. MS has other priorities.

Re:Just like MS then.

I run slack/OpenBSD and restrict access to SSH port so this doesn't affect me at all. The issue with Microsoft boxes is that a single exploit will usually work regardless. I appreciate what your saying but ensuring something is bug-free accross multiple arch & OS's is WAY more difficult than doing so for a single operating system written in house. We aren't doing bad considering eh?

Re:Just like MS then.

[clard11]

A lot of MS defects are reported to them by one organization and patched pretty quickly. The problem is updating all those existing clients and servers out there. With a massive OS population it's inevitable that there will still be vulnerable machines by the time the (now publically documented) defect is exploited. Like I say, I see this being an equal problem for OSS if the future turns out to be Linux dominated.

Re:Just like MS then.

[fyrie]

Are you serious? When was the last MS patch that came out AFTER the virus hit? Usually the patch has come out way in advance, sometimes even over a year in advance.

Software defects are a part of software engineering. It doesn't matter if it is open or closed source. As long as humans are doing the coding, there will be 1 defect for X lines of code. It is as simple as that.

Pass me the crack pipe please. C U bye!

Re:Just like MS then.

Not yet, anyway =]

Re:Just like MS then.

[pmz]

I don't see a difference.

1) The people behind OpenBSD and OpenSSH are much less driven by time-to-market and ooh-shiney crap than the monkeys at Microsoft are.

2) OpenBSD and OpenSSH actually strive for simplicity rather than obsess over bullet-points.

3) OpenBSD's default install has basically only OpenSSH as a public service (among a handful more). This is already light-years ahead of numerous (thousands undiscovered, probably) default-available remote-root exploits in Windows.

4) The people behind OpenSSH are much less likely (although no one's perfect) to sweep things under the rug than Microsoft.

Microsoft is like a car dealership complete with greasy salespeople. OpenBSD/OpenSSH basically have no salespeople (word of mouth, who'd have thunk that?).

Which makes you feel more warm and cozy?

Re:Just like MS then.

[Overly+Critical+Guy]

With MS, they're gaping holes that we hear about because the worm actually did do the damage.

No, they're not. For instance, Blaster was announced and patched for months.

Face it people, there really isn't a difference when it comes to software insecurity. Nothing is foolproof, and this just gives people some egg on their face.

Re:Just like MS then.

[DA-MAN]

Not entirely sure, but I must ask.. Was the RPC problems found by Microsoft or a third party? I know MS typically ignores problems until it makes them look bad or someone releases an exploit. Just because Microsoft fixed it before blaster, doesn't mean they fixed it due to their Quality Control procedures. How many bugs have and are left unpatched, because Microsoft hasn't gotten around to it? I remember reading that when 2K came out, there were over 65K bugs, and I know it seems like we've installed that many when we run WindowsUpdate, but I don't think there have been 65K patches!

However if you notice, all the OpenSSH bugs were fixed before any exploits were available and due to their own QC procedures. Writing perfect code is impossible, but fixing it before others get a chance to hack it is impressive in my book.

Re:Just like MS then.

[Shdwdrgn]

It's different because they advised everyone immediately of the problems, and released a patch as soon as they had one. MS has in the past spent considerable time blaming the customers for problems (for instance, IE automatically downloading and executing exe files from websites, without the user's consent).

It's different because this is only one of a handful of programs which have required security updates in the past X weeks. How many security updates has MS released in the same amount of time?

All of the MS advocates are spending a lot of time complaining about how everyone here bashes MS. I've been using Windows since 3.1 was released. Now I have a choice. Linux isn't for everyone. It requires a lot of time to learn it. Windows also required a lot of time to learn, but most people don't remember that. Back in the days when GUI's were new, we expected things to be difficult, and we lived with that until it was fixed. Now linux is coming in and trying to do everything the right way, but apparently many people are unwilling to give linux the same chance they originally gave to Windows.

Windows is like a first-draft program. It's a kludge. It works, and with enough effort you can add a lot of eye-candy to make it look like a polished system, but underneath, it's still a kludge. They started with a vague idea of what they were going to write, and created it as best they could.

Linux is more like a second-draft program. It's built from scratch completely based off of all the concepts that were discovered in writing the original version. The goal is in site, the mistakes can mostly be avoided, and they have a clear idea of what they're doing from start to finish. It's still not going to be perfect, but it's built on a solid understanding of what needs to be done.

Up next..? Who knows, but I imagine that comparing the next generation software to what we have now will be like comparing a finely-tuned Indy car to a horseless carriage.

Re:Just like MS then.

--incoming message--

From: OpenSSH
Subject: Apply this patch immediately

Blah blah blah run this file now

(Attached File)
--End of message--

So explain to me... if someone can send out a spoofed Microsoft email, why they not be able to send out a spoofed SSH email? Your logic makes absolutely no sense.

Re:Just like MS then.

[clard11]

It was reported by a third party "Microsoft thanks The Last Stage of Delirium Research Group"

Re:Just like MS then.

[iabervon]

In this case, someone reading the code found a bug of a type that they had not considered before. So they fixed it, and started looking for other bugs of that type. They found that there were other bugs of the same type, and fixed those. Now they've found a bug in some code they don't use themselves, which has required further patching.

OSS code is not appreciably less buggy than closed code when it is written; it becomes more secure as bugs get fixed that wouldn't have been found if it weren't open. Here we have bugs being found and fixed.

Re:Just like MS then.

[4of12]

As long as humans are doing the coding

...and the configuring, installing, maintaining and testing of patches.

So pick your poison:

Microsoft: "Windows is soooo e-z to use, any monkey can run a server!" (Collects cash from awe-struck boss.) Later, shit hits fan.

BSD: "Only leet h4Xor5 should edit config files and if they can't figure out what the hell to do from reading 50 man pages, the RFCs and the source code, then they should keep their sorry asses away from systems that are run by real men."

There's progress to be made in both security models.

Re:Just like MS then.

[wasabii]

http://www.pivx.com/larholm/unpatched/ Please notice the list on that page. Those are 31 vulnerbilities, which have been reported to Microsoft, and have to this date not been fixed. You forget, when MS released a security announcement, it is only because something made them do it. Some of these are a year or more old. The OpenSSH team, after the one vulnerbility caught them off guard, is once again going thru their entier product with the lesson learned from the new hole, and fixing similar holes. THAT is trustworthy computing.

Re:Just like MS then.

[antiMStroll]

Don't cut Windows short like that, it's much more user friendly. Worms don't require direct manual intervention like so many OSS exploits, just fire that puppy up on the net and wait a while, like watch a petrie culture. Those in a rush can visit a few gambling sites or install P2P to ferment the brew.

Never underestimate the time-saving convenience of automated desktop destruction. OSS still lags far behind, mired in a sea of RTFM and manual configs.

our new motto.

what do you wanne patch today?

OpenSSH in RedHat 9 and others

[avij]

The RH-supplied latest OpenSSH (3.5p1-11) doesn't seem to accept the "UsePam no" directive that was suggested as a workaround, so if you go ahead and add that line to your /etc/ssh/sshd_config and say "service sshd restart", SSH will complain about an invalid configuration option and refuse to start. Just for your information..

Re:OpenSSH in RedHat 9 and others

[ZerothAngel]

Well, the advisory states that "Older versions of portable OpenSSH are not vulnerable." So it's probably not much of a worry anyway.

Re:OpenSSH in RedHat 9 and others

[the_quark]

...And, of course, if SSH refuses to start, no one can use it to login into your system without authorization! Problem solved!

Re:OpenSSH in RedHat 9 and others

That now problem is only for 3.7.1p1 (3.7.1 portable), if you're using 3.5p1... guess what!?!?

OK, you're smart: you don't need to patch!

Re:OpenSSH in RedHat 9 and others

[Repugnant_Shit]

Which may mean
1) That option isn't available and your system is in danger
2) OpenSSH wasn't compiled against PAM, so you don't have to worry.

That sounds right to me.

Re:OpenSSH in RedHat 9 and others

[virtual_mps]

More importantly, the problem only affects OpenSSH 3.7p and 3.7.1p, so adding "UsePam no" to a 3.5p installation is unnecessary.

Re:OpenSSH in RedHat 9 and others

[Eric+Seppanen]

According to Redhat Bugzilla bug 104917, Red Hat has never shipped openssh 3.7, so they're not vulnerable to this. No workaround or fix is needed.

Re:OpenSSH in RedHat 9 and others

[astroboy]

The RH-supplied latest OpenSSH (3.5p1-11) doesn't seem to accept the "UsePam no" directive that was suggested as a workaround, so if you go ahead and add that line to your /etc/ssh/sshd_config and say "service sshd restart", SSH will complain about an invalid configuration option and refuse to start.

And thus, an effective workaround.

Re:OpenSSH in RedHat 9 and others

[tarvin]

The latest OpenSSH PAM-problem affects versions 3.7.x of (the "Portable" version of) OpenSSH. Red Hat has never released anything newer than version 3.5, so no workarounds are needed. Don't expect updated packages from Red Hat for this particular OpenSSH vulnerability.

Generally, if you can, include these statements in your sshd_config file:

Protocol 2
PasswordAuthentication no
ChallengeResponseAuthentication no

This means that the only way to access the SSH service is with key-based authorization, using the modern variant ("2") of the SSH protocol. Make sure you are comfortable with key-based authorization before turning off the non-key based methods as mentioned above.

If you use the lines above, then make sure that you don't override them by having PAMAuthenticationViaKbdInt in your sshd_config.

After this, your sshd will have to "speak" only one protocol, and it will have less authentication entry points (meaning less potentially buggy complexity).

Re:OpenSSH in RedHat 9 and others

RedHat applies security patches to whatever version shipped with the original OS, so it very well may be necessary.

Re:A better solution

[sqlrob]

More secure?

Re:A solution? Read advisory

Advisory

Subject: Portable OpenSSH Security Advisory: sshpam.adv

This document can be found at: http://www.openssh.com/txt/sshpam.adv

1. Versions affected:

Portable OpenSSH versions 3.7p1 and 3.7.1p1 contain multiple
vulnerabilities in the new PAM code. At least one of these bugs
is remotely exploitable (under a non-standard configuration,
with privsep disabled).

The OpenBSD releases of OpenSSH do not contain this code and
are not vulnerable. Older versions of portable OpenSSH are not
vulnerable.

2. Solution:

Upgrade to Portable OpenSSH 3.7.1p2 or disable PAM
support ("UsePam no" in sshd_config).

Due to complexity, inconsistencies in the specification and
differences between vendors' PAM implementations we recommend
that PAM be left disabled in sshd_config unless there is a need
for its use. Sites only using public key or simple password
authentication usually have little need to enable PAM support.

RedHat boxes are safe

[menscher]

Just to alleviate some of the panic, RedHat boxes are safe.

Re:RedHat boxes are safe

As far as I can tell, all Debian releases are safe too since they use older versions with back-ported security fixes.

Re:RedHat boxes are safe

[Jhon]

Is that accurate? I read that as saying "With the version shipped with RH and RH Enterprise" -- which is an OLDER version. Doesn't that mean that if an RH user has updated SSH to a newer version, they are vulnerable?

Re:RedHat boxes are safe

[MSG]

Please don't post links to bugzilla. Bugzilla is a database driven application, an linking to it directly from slashdot will certainly swamp that system. The information in the bugzill entry is:

Opened by mjc@redhat.com (Mark J Cox, Security Response Team Lead) on 2003-09-23 11:16

http://www.openssh.com/txt/sshpam.adv came out on Sep23 with two new
vulnerabilities that affect OpenSSH.

Both these issues only affect OpenSSH 3.7 and 3.7.1. Red Hat Linux and Red Hat
Enterprise Linux are not vulnerable to these issues as we ship with earlier
versions (with the addition of backported security fixes for other issues).

Keeping this bug open for a few days to enable users searching bugzilla to find
out that they are not vulnerable.

Re:RedHat boxes are safe

Most of the sites to which Slashdot links are database-driven. Just because Bugzilla is horribly inefficient doesn't mean you shouldn't link to it on principle.

Re:RedHat boxes are safe

[JofCoRe]

Yes, if you have compiled and installed your own and you have the vulnerable version (3.7.1p1 is it?), you will be vulnerable. I think what redhat is trying to say is that any systems that are using their RPMs to keep updated are safe, since they are using an older version of OpenSSH, with backported fixes.

Re:RedHat boxes are safe

[Jhon]

Right. The point I was trying to make was that the blanket statement that "RH machines are safe" wouldn't be accurate -- and somewhat misleading. I guess I was a bit too obtuse.

Re:RedHat boxes are safe

[JofCoRe]

This is true... I actually was going to mention that in my comment as well about how the original poster had been "vague", but hit submit too fast :)

Re:RedHat boxes are safe

[LuckyStarr]

Proof? Where can we find this information?

Re:RedHat boxes are safe

If you check the versions of OpenSSH Debian supplies, you'll see there are no 3.7.?p? releases. 3.7.?p? was the only known branch with this new problem.

If you check Debian's known OpenSSH bugs you won't see it listed either, although that's not quite as convincing as an "it's not a bug" notice...

That said, if you were to hand-install a potentially vulnerable 3.7.?p? release, I suppose you could make Debian not safe, but you probably know what I meant ;).

Re:RedHat boxes are safe

[Rogerborg]

I have to ask: if it's not meant to be accessed by http, why is it accessible by http?

When will it end?

[Dr.+Bent]

This vulnerability apparently has to do with PAM

When will people learn that non-stick cooking spray causes more harm than good? Unneeded fat, calories and remote root exploits are just some of the problems caused by these unsavory products. For god's sake, people...there are better ways to dissipate heat and prevent sticking and burning. For one, turn that CPU clock speed down! Just because you can fry an egg on your motherboard, doesn't mean you should! That's what the CD-ROM drive is for!

Re:When will it end?

When will people learn that non-stick cooking spray causes more harm than good? Unneeded fat, calories and remote root exploits are just some of the problems caused by these unsavory products. For god's sake, people...there are better ways to dissipate heat and prevent sticking and burning. For one, turn that CPU clock speed down! Just because you can fry an egg on your motherboard, doesn't mean you should! That's what the CD-ROM drive is for!

So now you're saying I shouldn't spray my CPU with non-stick cooking spray?

YOU'RE EXPLOITABLE!!!!!!!!!!

Re:YOU'RE EXPLOITABLE!!!!!!!!!!

[rottcodd]

I'd be more concerned if *sshd* were 3.6. Unless I've missed something, the client's fine- at least for ssh v2.

(Why do these things always break when the real sysadmin's in classes? Well, I didn't feel like doing any of my research now anyway.)

It's her fault!

[devphaeton]

This vulnerability apparently has to do with PAM,

Yeah, I always blame my problems on the chick too ;)

(kekekeke)

Where are they?

Okay, a bunch of posts already, but where are all the "*BSD is dying" trolls now? OpenBSD got it right, but porting to Linux and other OSes screwed up.

Not the way to compete with MS

[narratorDan]

OSS should compete with features and security not number of exploits and patches.

On second thought, maybe more patches will make IT managers think that OSS=MS in quality and will begin to use OSS more because it is as good as MS.

NarratorDan

Re:Not the way to compete with MS

HEY! You're being a tad harsh. The whole point of opensource software is the holes are fixed *when found*, not 6 years later like some RPC holes recently mentioned....

I suposse...

[Draco_es]

...that OpenBSD is not vulnerable because it doesn't use PAM itself. It uses BSD-auth(imported from BSD/OS I think) as its authentication system.

The advisory says that PAM should be disabled by default. I think that it isn't a very realistic petition. Most of (medium|large)-scale Unix/linux deployments depends on pam modules like pam_ldap, pam_krb, etc...

Re:I suposse...

[Abcd1234]

Umm... if you're setting up a "(medium|large)-scale Unix/linux deployment", the odds are you have the skill to put "UsePAM = yes" in your config file. For the rest of us, having a more secure default is always a good thing.

Case matters

[SkimTony]

The directive should be:
"UsePAM no"

Case matters.

Re:Case matters

[avij]

Um, no.

man sshd: keywords are case-insensitive and arguments are case-sensitive, meaning that usepam and UsePam and UsePAM are equivalent.

Re:Case matters

[hacker]

keywords are case-insensitive and arguments are case-sensitive

Uhm, no.

Change ANY option in your sshd_config from 'yes' to 'Yes' or 'no' to 'No' and try to restart the sshd daemon. It WILL fail. It is absolutely, positively case-sensitive. The manpage is wrong, not the code.

/etc/ssh/sshd_config line 81: Bad yes/no argument: Yes

Re:Case matters

[QuMa]

Perhaps you'd like to read the text you quoted again.

Re:Case matters

[srn_test]

Yes, thus "arguments are case-sensitive".

Please try to understand, before one of us dies!

Re:Case matters

[jhunsake]

I hope to God that you were attempting to troll there!

Only....

[222]

X+1 holes in the default install in over 7 years!
Its a joke people.....

Re:Only....

[LePrince]

This does not add to X. The "default install" you are talking about is for OpenBSD, not OpenSSH. There's a world of difference between a whole OS and a package that's part of it.

So, last week's vulnerability WAS an addition to your X, not this one.

Re:Only....

[222]

Gah, your right.... I need more coffee. It is still suprising to see whats happened to this package over the last few weeks though, but i guess that just means more and more eyes are sifting through the code, which is undeniably a good thing.

Apple affected?

[toupsie]

Apple just came out with Mac OS X update 10.2.8 which fixed the last OpenSSH exploit. Does anyone know if that updates also covers the new exploit mentioned here? Or should I expect 10.2.9 in a few days?

Re:Apple affected?

[bnenning]

The vulnerability apparently only affects OpenSSH version 3.7, and Mac OS X uses 3.4, so we should be ok.

Re:Apple affected?

[Contact]

Actually, they published it and then pulled it again - it caused network problems for some G4 towers, apparently.

Only

Only 2 remote holes in the last 2 weeks.

Re:Only

Neither has been shown to be exploitable in the default OpenBSD install, fucktard.

The Need for Open Source Watchdogs

[TheCRE]

In light of the recent CERT/CC advisories regarding security vulnerabilities in the Sendmail and OpenSSH programs (even before the problems with new release of portable Open SSH) the Center for Regulatory Effectiveness' WatchDog Watch discussed the need for open source watchdogs. Please see, www.thecre.com/wdw/20030922_open_source.html Winston Security Director, WatchDog Watch

Time for less windows bashing?

[SteWhite]

Note: This post is not intended as a troll or flamebait, I'm merely stating my opinion, which is this:

When this kind of thing can happen with such important and widely used open source software, I think people should take a moment to consider being more lenient towards Microsoft and their endless patches.

I'm not saying that MS products are in any way more secure than their OSS equivalents, indeed they are most likely less secure, but we need to remember that theirs are not the only insecure programs in the world. Take heed people.

Re:Time for less windows bashing?

[HeghmoH]

Open Source bugs get press when a couple of guys look at the code and say, "Hey, if someone were really clever, they might be able to exploit this obscure vulnerability that nobody has ever seen before in order to gain access."

Windows bugs get press when a couple of guys write a worm that infects millions of machines worldwide and causes global internet slowdowns and billions of dollars in economic damages.

So why, exactly, should we be lenient?

Is the default config file safe?

[jqh1]

I'm using pretty much the default config file, and I've never intentionally enabled PAM. Here's what the PAM part looks like:

# Set this to 'yes' to enable PAM authentication (via challenge-response)
# and session processing. Depending on your PAM configuration, this may
# bypass the setting of 'PasswordAuthentication'
#UsePAM yes

If you have to uncomment out that line to enable PAM authentication, then *not* uncommenting it is equivalent to setting it to "no" (like the advisory says to do) yes? The advisory does appear to mention this default, explicitly anyway...

[sorry to ask what may be the obvious, but weeks fall off my probable lifespan whenever I'm messing with sshd on a remote server, and I'd sure like to avoid it if I can]

Re:Is the default config file safe?

[jqh1]

The advisory does appear to mention this default, explicitly anyway...

*Ahem*, I meant, of course:

The advisory doesn't appear to mention this default, explicitly anyway...

Re:Is the default config file safe?

[David_W]

If you have to uncomment out that line to enable PAM authentication, then *not* uncommenting it is equivalent to setting it to "no" (like the advisory says to do) yes?

No. :(

Typically OpenSSH shows the default setting commented out in the config files. So that's (probably) saying that UsePAM is yes by default, so you need to uncomment that and change it to no. It's a good idea to do it anyway, as that way you are certain the setting is what you think it is; you wouldn't want to get caught by an assumption.

Re:Is the default config file safe?

[Ratcrow]

No!

From the top of sshd_config:

"The strategy used for options in the default sshd_config shipped with OpenSSH is to specify options with their default value where possible, but leave them commented. Uncommented options change a default value."

In other words, simply uncommenting the line changes nothing -- the default is shown commented. For the SRPMS of OpenSSH-3.7p1, UsePAM is set to Yes.

Re:Is the default config file safe?

[Medievalist]

If you gave your OpenSSH version number, and the distribution you are running it on, and whether you installed from distro packages or built from source, I could answer your question accurately.

Without that, I'd offer this usually correct advice: The default config file is supposed to be built with the default configuration, only commented out. So, when you see
#UsePAM yes
in your configuration, you can be fairly sure that PAM is in fact enabled.
Further, if you have a PAMified distribution such as HP-UX, Red Hat Linux, or Solaris (which is a wonderful thing, incidentally, PAM is *great*) you can't disable PAM without breaking your system.

In short; if you are PAMified, you need PAM enabled. If you are not, you shouldn't have it enabled. It's not a trivial thing that you switch on and off on a whim.

Re:Is the default config file safe?

[jqh1]

OK - caution 1, blood pressure 0 (actually much, much higher)
[wince]...

Thanks

p.s. - works fine with
UsePAM no
[whew]

New Motto

[Greyfox]

15^H^H10 minutes without a remote root exploit!

Re:New Motto

[insomaniac]

If you are referring to OpenBSD, you didn't even read the slashdot posting right, it doesn't affect OpenBSD.

Re:New Motto

[evilviper]

15^H^H10 minutes without a remote root exploit!

Well, so far, none of these exploits have been shown to be exploitable.

This most recent one is only exploitable (according to the advisory) if you have an unusual configuration, PAM enabled, and PrivSep disabled (why would anyone do that?).

Slashdot slow?

Is it just me, or is Slashdot totally slow, websitewise and networkwise? Like at least 30 secs for a page to come up after clicking.

Yippee!

[mrpuffypants]

oooh! Patching every other day is fun!

This is just like being a MCSE! Now I can hang out with the NT guys and chat about patching!

Re:Yippee!

[Tailhook]

oooh! Patching every other day is fun!

Fun?

# apt-get upgrade
# exit

Boring. The way it should be.

Re:Yippee!

[mhesseltine]

Wait. Shouldn't this be:

# apt-get update
# apt-get upgrade
# exit

Without the update step, apt wouldn't know about the new packages.

Although, I suppose you could have the apt-get update step in a cron job.

Re:Yippee!

[archen]

NT guy: "so like... you DON'T reboot? Huh? Patch? HuH? How can you patch and not reboot?"

Re:Yippee!

[kcbrown]

Although, I suppose you could have the apt-get update step in a cron job.

Yep. Install the cron-apt package if you want this.

fact of life

[NumLk]

I'm not trying to be a tool here, but seriously, does anyone ever expect any piece of software to be 100% foolproof? Software is complex, and in its complexity lies opportunity for problems to arise. Sometimes they are simple coding mistakes, sometimes they are problems that arise when the software isn't used as its developers envisioned.

As users of software though, it is irresponsible to assume that just because it is commercial, open source, MS, non-MS, or whoever is the messiah of the day's product that it will never have unexpected problems. Admittedly, some companies software appears to be worse than others, but that is the gamble we take when we build complex systems.

Re:fact of life

Microsoft Vulnerability: HAHAHA M$ is teh ghey is teh s000 LAM3!!!!1!!! HAHAHA L1nux r00lz!!!11!!!! HAHAHA

Open source vulnerability: But seriously, does anyone ever expect any piece of software to be 100% foolproof? Software is complex, and in its complexity lies opportunity for problems to arise.

Microsoft are the reason

[SnowWolf2003]

Are we sure Microsoft aren't involved in this project in some way?

EXCUSE ME!?

[SHEENmaster]

This patch is coming out before any known implementation of an exploit, and certainly well before worms start using it.

With Microsoft, we wouldn't know of days after the virus makes the news.

This is a prime example of why OSS is beter. It has been fixed before those "evil hacker terrorist communists" find out about it.

Re:EXCUSE ME!?

The recent lsh vulnerability report was a zero-day patch that got reported long with a known actual exploit in the wild.

All the big recent worms affecting microsoft products had a patch released anywhere between 20 and 30 days of an exploit actually appearing. Indeed, in the case of Slammer, the exploit was probably created because microsoft published the vulnerability.

Do you feel stupid now?

Re:EXCUSE ME!?

[reverendslappy]

Huh?

Nimda:
Patch Released: August 15, 2001
Major Exploit Starts: September 18, 2001

SQL Slammer Worm:
Patch Released: July 24, 2002
Major Exploit Starts: January 25, 2003

MS Blaster Worm:
Patch Released: July 16, 2003
Patch Released: August 11, 2003

Re:EXCUSE ME!?

[reverendslappy]

Doh...

MS Blaster Worm:
Patch Released: July 16, 2003
Major Exploit Starts: August 11, 2003

You know what I meant.

Re:EXCUSE ME!?

[howlinmonkey]

As has been stated here before, many of the recent MS issues have been patched for quite a while. Most Windows users simply don't keep up to date.

I love MS as much as the next /.er, but let's be honest in our criticism, and not just howl as loud as we can about how awful everything MS is.

Re:EXCUSE ME!?

Don't forget Code Red, which Nimda effectively replaced. I first started seeing it on my firewall on July 14, 2001. It didn't hit the news until the 19th. I guess the original CR random number generator really liked a couple of addresses in my networks.

Even then, I'm pretty sure that MS had a patch out beforehand. The real problem is the large number of weenies out there who will never apply a patch and become amplifiers for the exploit of the week.

Re:EXCUSE ME!?

You're so full of it even yo momma can't stand the stench, and she's getting her articifial tan from the can (hey, that rhymes).

The real situation is exactly the opposite of how you paint it.

How long ago is it that an MS exploit appeared before the patch?

Too bad the same can't be said about OSS. No, they come up with zero-day patches (that have to be patched again later because they introduce new bugs) because their ass is on fire, and then everyone starts advertizing "look how fast that patch was available".

Another consideration: lots of MS systems are months behind with applying patches, that's a fact.
But what makes you believe the situation is better in the OSS world, where updates have to be downloaded and installed manually by the user in most cases, instead of that they can choose to fully automate the process?

And which MS systems are running behind on patches?
XP comes almost preconfigured to automatically download critical updates, all you have to do is run through a wizard the first time because they don't want to do it behind your back. In older versions you can set it up too: all it takes is going to the Windows Update site and follow the prompts.

The problem is, I personally know several people who disabled even the scan for available updates as fast as they could (let alone automatic download), because they were afraid MS would find out they're running a pirated version and push down a patch that disables the crack or the leaked enterprise registration code that allows them to run without activation.

So who do you think is responsible for worms creating havoc months after the patches were supposed to have been installed? MS? ROTFL.

Re:EXCUSE ME!?

Absolutely.

And why don't they ever apply a patch? Because they're afraid it will disable the leaked registration code they used to install their pirated copy of windows.

Problem building openssh 3.7.1p2

[gatzke]

Anyone else running into problems building openssh 3.7.1p2?

I got p1 to work ok on Mandrake 8.1 system.

The new version apparently will not allow for keyboard-int authorization. I configured --with-pam and I don't have PAM off in my /etc/ssh/sshd_conf

I could not even get 3.7.1p1 to compile on an older mandrake box.. Doh. gotta upgrade.

Re:Problem building openssh 3.7.1p2

From the release notes:
* This release now requires zlib 1.1.4 to build correctly. Previous versions have security problems.

Might this be your problem?

Re:Problem building openssh 3.7.1p2

[gatzke]

Found the problem, if anyone cares.

You now apparently have to explicitly set the UsePAM option to yes in your sshd_config file.

Doh!

But I still can't get old mandrake to compile...

cipher-ctr.c:92: warning: assignment from incompatible pointer type
cipher-ctr.c:97: structure has no member named `key_len'
cipher-ctr.c: In function `ssh_aes_ctr_cleanup':
cipher-ctr.c:108: warning: assignment from incompatible pointer type
cipher-ctr.c: In function `ssh_aes_ctr_iv':

Re:Problem building openssh 3.7.1p2

The default's changed. You need to explicitly turn PAM on in your config now.

Re:Problem building openssh 3.7.1p2

[kasperd]

But I still can't get old mandrake to compile...

Maybe you need a newer openssl?

Re:Problem building openssh 3.7.1p2

You got it to compile on another box, how about bringing the binary (and whatever libs) from that box?

Re:Problem building openssh 3.7.1p2

[Phydoux]

I had the same problem with my Mandrake 8.1 system. The way I fixed it was to go into the openssh.spec file and find the lines:

%if %{rescue}
--without-pam --with-md5-passwords \
%else
--with-pam \

and change them to read:

%if %{rescue}
--without-pam --with-md5-passwords \
%else
--with-pam --with-md5-passwords \

After this change I built the rpms and installed them using

rpm -ivh --force *.rpm

I had to use the --force option because I had already installed that version of OpenSSH and rpm of course complained that it was already installed.

Re:Problem building openssh 3.7.1p2

Thank you very much

Re:Problem building openssh 3.7.1p2

[gatzke]

I did not make an RPM for my Mandrake 8.1 system, I just did
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam
make;make install

and made a couple of changes in /etc/ssh/sshd_config

UsePAM YES
PasswordAuthentication NO

It looks like I may run into troubles in some cases. ?? I don't know enough about ssh, but I bet Password Authentication did not work originally for me because I did not use the --with-md5-passwords option to build.

What is the deal with %{rescue}? I just did a quick google and didn't hit anything easily. Is PAM not enabled in some rescue situations? ??

Inefficient!

[Akardam]

You backspaced twice, but you only needed to replace the 5 with 0, thus only needing to erase one of the characters. Hence:

15^H0 minutes without a remote root exploit!

... oh, wait. You were doing that for illustratory purposes...

I reeealy need to get a life...

Re:Inefficient!

I'm still confused. Why wouldn't it reset to zero?

Re:Inefficient!

Because of winnie the poo! Thats why.

Im confused about your reaction.

Oh PAM!

[Ghoser777]

The first time I read that I thought I saw SPAM. I blame SPAM for most of my problems now anyway (diet, junk email, etc), so I wasn't too surprised to be adding network security to the list.

Matt Fahrenbacher

Not so fast!

[MarcQuadra]

Not so fast!

The LAST vulnerabilities were for 3.6 and 3.7 as well, but 3.4 COULD be vulnerable as it's now 'off the beaten path' and these vulnerabilities seem to have been discovered in a code audit triggered by the recent attention given to OpenSSH. Apple had to patch their 3.4 version, and I'd expect another minor software update package from Apple in the next few days to address this.

Anybody out there know if it's easy to build current versions (3.7.1p2, etc.) of OpenSSH on OS X with the developer tools installed, or is there some very compelling reason Apple is sticking to 3.4 and just adding to it?

Re:Not so fast!

OS X doesn't use PAM, so I don't think they'll immediately release another update. since they aren't affected by this issue.

Re:Not so fast!

"OS X doesn't use PAM"

really ?

so why does it have PAM available ?

type `man pam` for details

coincidently this vulnerability effects only portable versions of 3.7 and 3.7.1 due to code changes effecting PAM, as the version in OSX and Darwin does not have these changes it should not be vulnerable.

Depends, but generally -NO-

[MarcQuadra]

AFAIK, commented code shows the defaults, PAM is PROBABLY ON in your case. Most of us use PAM for authentication, so I wouldn't shrug this off.

Name a recent MS Exploit

That didn't have a patch out weeks or months before an exploit was seen in the wild?

IMO

[Znonymous+Coward]

It's time for a code audit.

RPM's for Red Hat 7.2, 7.3 and 8.0

[corz]

I created these a little earlier today:

http://projects.standblue.net/rpms/openssh/3.7.1p2 /

Enjoy.

Re:RPM's for Red Hat 7.2, 7.3 and 8.0

Erm, those OSes aren't vulnerable. See the RH Bugzilla page on it -- they're too old to be vulnerable to this.

Appreciate the work, but there's no need :)

Re:RPM's for Red Hat 7.2, 7.3 and 8.0

[nick+this]

Lemme see if I've got this right.

I'm paranoid enough about security that I've already heard about the exploit and want to patch, but I'm lazy enough to trust binaries offered up by some random (no offense) guy on *SLASHDOT*?

Please tell me your logs show no hits.

Re:RPM's for Red Hat 7.2, 7.3 and 8.0

[Dri]

Wish I had time to analyze them. Probably some malicious code in them.

Re:RPM's for Red Hat 7.2, 7.3 and 8.0

Sheesh, no good deed goes un-punished.

If you're suspicious, don't use it. The guy might have just trying to be helpful. Hard to believe I know, but maybe, just maybe, true.

All the more reason for Microsoft bashing

[Dan+Ost]

Microsoft could learn something from this. The OpenSSH team finds a problem,
announces it, and makes a fix available. Then they identify similar problems,
announce them, and make fixes available.

Microsoft seems to follow one of three different procedures depending on
circumstances:
1. ignore the problem until there's an exploit and public outcry
2. quietly release a fix and then advertise it when there's an exploit and
public outcry
3. leave the problem unfixed in order to force people to upgrade

I say we bash Microsoft until they start designing their products with
security in mind.

Re:All the more reason for Microsoft bashing

[zerocool^]

not to toot the M$ horn, but a lot of times, there'll be a big M$ shit fit when a bug or a hole becomes public knowledge, and 3/4 of the way down the slashdot posts, some guy will point out that the hole was fixed in M$ security bulliten such-and-such over 5 months ago.

It happens a lot both ways: problems create patches, and also they proactively patch some stuff.

~Will

More fixes than PAM

[Soft]

According to the Changelog:

- markus@cvs.openbsd.org 2003/09/18 08:49:45
[deattack.c misc.c session.c ssh-agent.c]
more buffer allocation fixes; from Solar Designer; CAN-2003-0682;

it would seem that in addition to the PAM patch, there are more buffer management-related fixes which didn't find their way into 3.7.1p1 but prompted Debian to make a third update to ssh. One may want to update even on OpenBSD or with PAM disabled.

"Patch *again*" == no big deal

[psyconaut]

The poster seems to insinuate that patching again is a chore...security is, by very nature, a moving target. I'm *glad* they find vulnerabilities and post regular patches...proves to me, at least, that somebody is on-the-ball.

Heck, just be thankful they don't belong to the Microsoft school of security and fixes ;-)

-psy

Re:"Patch *again*" == no big deal

[Jagasian]

All upgrades require from the end user is an "apt-get update && apt-get" upgrade on Redhat and Debian. Yup, apt is also for RPM, but Debian still has a much larger standard package repository. You can basically apt-get anything with Debian, while with Redhat you are a little more restricted.

Re:"Patch *again*" == no big deal

Do you let end users upgrade your servers? How do you test patches and back them out if you encounter problems?

Re:"Patch *again*" == no big deal

[Jagasian]

You could test upgrades on a test box, and if everything worked, then you could trigger the apt-get upgrade for the other boxes.

Why would end users upgrade a server? Why would casual users need to test a new package that has already been tested against the distro? I have never had an apt-get upgrade break my Redhat system.

OpenBSD

[Tet]

if you are running OpenBSD, you're safe.

I've heard statements like these again and again, and every time I thank the decision I made to use OpenBSD on our firewalls. Their focus on security really does pay dividends. Yes, they still get it wrong from time to time. But they're far ahead of the rest of the field.

Re:OpenBSD

[TheLink]

http://www.openssh.org/security.html

"OpenSSH is developed with the same rigorous security process that the OpenBSD group is famous for. "

So far the only person I can recall off-hand that writes secure code in C is Dan Bernstein.

The rest should find a safer language to write critical programs.

Re:OpenBSD

Anytime someone says
"I use Xxxxxxx, so I'm safe"
I translate that to
"there's someone they'll get sooner or later, because he believes nothing can happen."

BSD may be better than the rest, but accoring to my dictionary 'better' is no synonym for 'perfect', and I don't think it ever will be.

Re:As usual....

This post is gaurenteed a -1, when going s/debian/microsoft/g would get +5, insightful. Remember to metamod unfair.

Self-fulfilling prophecy, eh? It's already -1...
Try spelling "guaranteed" to get the second part working.

no

and you sir, are a hell bound heretic!

Re:no

I'm with you 99%.

Potable OpenSSH

[jbottero]

I have no need for Potable OpenSSH, since I only drink alcohol.

That's how this was caught

[spineboy]

I think that code auditing IS going on, and that's why they're noticing these security holes. This is something that an auditor found - there have not (at least to my knowlege) been any crack ins/compromises due to this.

Look on the bright side.

[killermal]

These exploits ain't all bad. As an OpenBSD security admin i've never felt so valued! :)

Mirrors?

[kasperd]

Is it actually on any mirror site yet? I tried five, none of them had the new version.

To repeat a post above...

[Paulo]

Nimda:
Patch Released: August 15, 2001
Major Exploit Starts: September 18, 2001

SQL Slammer Worm:
Patch Released: July 24, 2002
Major Exploit Starts: January 25, 2003

MS Blaster Worm:
Patch Released: July 16, 2003
Patch Released: August 11, 2003

So, how was this about "ignoring the problem" again?

Re:To repeat a post above...

[bedessen]

You couldn't have just posted a link to the post you copied and pasted rather than plagarising?

Patch available for Gentoo already

[fatwreckfan]

The patched version is in the Gentoo portage tree already, so it's time to emerge -u world!

Re:Patch available for Gentoo already

[ncc74656]

The patched version is in the Gentoo portage tree already, so it's time to emerge -u world!

emerge sync && emerge -uU openssh && /etc/init.d/sshd restart would be shorter and would do what you want.

Re:Patch available for Gentoo already

[pjack76]

Yes, but what if you're still compiling the patches from a few days ago? What then? WHAT THEN INDEED.

(Joke light blinking, happy gentoo user here.)

Use real ssh.

I stopped using OpenSSH last year, These problems were hinted in the massive flaws from last year. Sure everything has flaws, but this is like everyday, for something that we're supposed to trust FOR security. Hell, at this rate, running telnetd is more secure. Its less likely you'll be sniffed then get hit by some passing worm within 5 mins of putting a box online.

ssh from ssh.fi is more secure out of the box (no ssh1), requires alot less depedencies on other programs, and is more configurable. Not to mention its the offical version of SSH.

OpenSSH == wuftpd/sendmail of security software, get rid of it. At least for now.

Re:Use real ssh.

You're a troll and I claim my $5.

Re:Use real ssh.

This message proudly brought to you by Tatu Ylonen and his friends at ssh.com

Here comes another Mac OS Update

[digitalgimpus]

24 hours after release...

damn.

At least we know a patch will come about quick.

Finding the version number

[AnEmbodiedMind]

Any idea how to find what version of sshd is running? Looking at the man pages on OS X, and all the advisories offers no info on how to simply get the version number out of the binary... Usually a simple sshd --version would work with most things I did manage to find something that is probably the version number on my machine by running strings "/usr/sbin/sshd" and sifting through the output, but it is not ideal...

Re:Finding the version number

[rottcodd]

If it's running, ssh -v to it and the version will be printed.

Re:Finding the version number

[Sevn]

Actually, ssh -V

Re:Finding the version number

Or just telnet to port 22..

Re:Finding the version number

[Rogerborg]

Once again proving the superior usability of a CLI over one of those messy, hard to understand gooweys.

Re:Finding the version number

[Sevn]

HERE! HERE!
It's nice to see an unbiased K5er such as yourself chime in to back me up. To H-E double hockeystick with those point and click mazes one has to go through to find things with a "gooweys". It's good that people like you and myself will be around when the outlook virus that ends the world happens so we can help retrain the unclued masses. I will shed a tear that day like the Indian in those old irish spring commercials. But it will be a tear of joy my friend.

Re:Finding the version number

[Rogerborg]

I'm only unbiased in that I hate everyone and everything. And I gave up on K5 long ago; it requires far too much time and effort to troll effectively. Slashdot is like trolling with training wheels in comparison.

Re:Finding the version number

[Sevn]

You are damn right. :) I've been coming up with all sorts of interesting angles, but not really turning up the heat.

It's bloated and...

[yanestra]

Sorry to say that again, but this is only tip of the iceberg, I guess.

OpenSSH has grown a little too big to be maintained properly.

Okay, mod me down again...

Re:It's bloated and...

If you look at the ftp site, the OpenSSH releases have actually been getting smaller. The release size (gzipped) of 3.7.1p2 is around 80k smaller than 3.6.1p1.

You think you're joking but you're not

[Skreech]

Frying an Egg on an Athlon XP

It's Microsoft's Fault

Apparently, and I have this on good authority, the reason this bug exists is because the existance of Windows periodically alters the space-time continuum. In other words the oh so perfect Open BSD coders are aiming at a moving target -- what they thought was a solution would have worked in a parallel universe but Gates deliberately altered our
time line in an attempt to discredit the UNIX world. In other words, this is nothing more than Microsoft FUD.

New ?

[MaGGuN]

There is nothing new about this vulnerability, it has been there all along, the _discovery_ of it, is however new.

Re:New ?

[TheLink]

Actually wasn't it introduced in 3.7?

OS X - propably not affected

[phooka.de]

For those out there wondering - after the latest update to 10.2.8, ssh showsthis version:

OpenSSH_3.4p1+CAN-2003-0693, SSH protocols 1.5/2.0, OpenSSL 0x0090609f

In the advisory on securityfocus, it says that the affected versions are "Portable OpenSSH versions 3.7p1 and 3.7.1p1" - so it seems that since it's not using the latest, hottest implementation, OS X is not affected.

Of course, I'm only guessing here...

Thank God I'm running Linux

Otherwise this Windows SSH bug would be tearing me up! I mean, really! First Microsoft releases a patch to their buggy SSH implementation, and then the patch opens a new, even BIGGER hole. Those idiots at Microsoft can't get anything right! No wonder open source is so much better!

I feel so safe and secure knowing my Linux software doesn't have bugs like this, and my remote shell software is totally secure against intrusion.

Oh, wait...

I forgot...

This is a Linux bug that was patched and caused another bug! Oh, perish the thought!

So, where are the 748 comments all screaming about how pitiful security is on Linux systems? You know, those same screamers who loudly bitch and moan and jump up and down whenever a Microsoft patch breaks something else?

Dare I smell a little hypocrisy?

Oh, wait...

I forgot...

This is Slasdot, where hypocrisy is considered a virtue.

Re:Thank God I'm running Linux

[Seabass55]

hypocrisy? maybe...but something deep down inside me makes me EXPECT alot more out of an OS that you pay for than one that is free. I have less problems to deal with (lets even assume that linux has just as many problems as windows)...same amount of problems yet it's free. Gee...if I was paying for Windows I'd be pretty pissed (pirated copies excluded from my random rambling)

Re:Thank God I'm running Linux

[yanestra]

This is a Linux bug that was patched and caused another bug! Oh, perish the thought!

You are confusing something.

This is no Linux bug.

It's a bug of OpenSSH.
OpenSSH is neither Linux itself nor part of it.

Possibly, it is part of a Linux distribution that you might have obtained. Even there, it should be optional.

That's the big difference, compared to Microsoft "everything-in-one" products.

Re:Thank God I'm running Linux

No, I think it's you who's doing the confusing. If you want to make the distinction between an OpenSSH bug and a Linux bug, then you must also make the distinction between an IIS bug and a Windows bug, or an Outlook bug and a Window bug, or an IE bug and a Windows bug. Come to think of it, bugs in the Windows kernel itself have been very few and far between...about as rare as bugs in the Linux kernel. But of course, you're not about to actually say that, are you? After all, to do so would sour the whole argument that Windows sucks. It would *gasp* make it sound like Windows itself is pretty good but the bundled apps are the party at fault.

And don't hand me some ridiculous fucked up shit about how Windows is "all in one" and Linux isn't. Linux distros come bundled with shitloads of apps, many of which sooner or later reveal bugs and exploits, just like bundled Windows apps. Don't like the bundled Windows stuff? Then don't load it! Win2k3 can be loaded with practically *nothing* in it, not even IIS! IE can even be removed if you're paranoid, although it comes disabled by default.

Seems to me you're overlooking the flexibility that Windows can offer you, but that's par for the course. Hypocrite.

Re:Thank God I'm running Linux

[yanestra]

If you want to make the distinction between an OpenSSH bug and a Linux bug, then you must also make the distinction between an IIS bug and a Windows bug

Not quite true, because OpenSSH can be run on more platforms than only Linux.
E.g. on my FreeBSD servers, it's half way the same problem like it's reported for Linux machines.

With a IIS piece of software, you will have a small problem in finding a different platform.

And don't hand me some ridiculous fucked up shit about how Windows is "all in one" and Linux isn't. Linux distros come bundled with shitloads of apps, many of which sooner or later reveal bugs and exploits, just like bundled Windows apps.

If you want to fix something, it's an easy thing with Windows. You simply take the source, and fix the bug, right?

Or: You report the bug and go praying to church for your bug may be qualified important enough to be fixed.

Re:Thank God I'm running Linux

If you want to fix something, it's an easy thing with Windows. You simply take the source, and fix the bug, right?
Or: You report the bug and go praying to church for your bug may be qualified important enough to be fixed.

Or, since I'm a non-programmer who doesn't know the first things about C source code, if I find a problem with Linux, I report the bug (if I can find out who to report it to and if that person is still the maintainer of the code and if that person still has a valid way of being contacted) and then "go praying to church for your bug may be qualified important enough to be fixed."

If you're a non-programmer (and the vast majority of the world is, you insensitive clod), having the damned source code doesn't matter one hill of beans. Quit throwing that fucking "you've got the code, you go fix it" defense up. Microsoft's been fixing bugs that I never even knew about long before they became a problem for me. There's absolutely no benefit whatsoever (and many drawbacks) to me using Linux for certain desktop tasks when I neither have the time nor the interest to go delving through someone else's source code to fix a problem they should've fixed in the first place.

But that doesn't matter to you, does it? You've got your nifty little "source code" defense ready. And I suppose your advice to us non-programmers would be "well, you ought to have to learn to program in order to use a computer." Elitist fucker.

/. logic strikes again!

[GoofyBoy]

Lots of patches and OpenSource = GOOD!

Lots of patches and M$ = BAD!

This actually scares me more than recent MS holes because with SSH I'm doing "top-secret hush-hush no-girls-allowed club" stuff and so I really am depending alot on this piece of software.

Re:/. logic strikes again!

[psyconaut]

I was pointing out that MS patches are few and far between....I'd actually prefer more regular patches from MS!

ssh is way more secure, than say, PC Nowhere ;-)

-psy

Re:/. logic strikes again!

[kcbrown]

Lots of patches and OpenSource = GOOD!

Lots of patches and M$ = BAD!

That's because most Microsoft patches require you to reboot the box, while most open source patches only require you to restart the affected service.

When I updated ssh on my box (Debian is awesome for this), all it did was restart the ssh listener. It didn't even affect existing ssh connections.

Had this been a Microsoft box, a reboot would probably have been required.

So: it's the difference between having to take down all services just to keep up to date on patches, and having to (very briefly) take down individual services as they're patched. That's a huge difference, and that's why frequent patches from MS are a bad thing.

Re:fact of life? Fact of C programmers

[berenddeboer]

Do you seriously expect an end to buffer overflows while people keep programming in C? That's the issue. Use an unsafe language and you are bound to remain a fool.

Hmm...

[Dr+Rick]

Doesn't it seem strange that the finding of multiple bugs in the same piece of open source software in a short period of time is stated as a strength of open source while the same thing in Microsoft software is stated as a weakness... Yes, in the open source case they were found by code inspection and in the case of Microsoft they were found by exploit, but a patch a day is still a patch a day. It's not always a good idea to rush patches out as soon as a potential hole is found...

Take "OPEN" out of the name

[JavaJoint]

Ya know, maybe it's time to take the word "Open" out of OpenSSH. It's becoming too much of a self-fulfilling prophecy.

How about "TheSourceIsOpen_ButWeWillBeDamnedIfYouGetInWithou tAPasswordSSH"? ...

Deja-vu again

[Ricin]

Last time we has a big OpenSSH rush we got the same thing, when priveledge separation was introduced and updating was the only way to be safe.

OpenBSD was fixed of course, others had (rightly, hmm not always at least) updated to something that was vulnerable. And before that the CRC bug...

I'm not taking this too seriously anymore.

List of Who Is/Not Vulnerable

Check out CERT's vunlerability notes to see if you are vulnerable. Most of the major distros of Linux are NOT vulnerable since they backported patches to pre-3.7p1 versions rather than upgrade their users to 3.7p1 or 3.7.1p1.

http://www.kb.cert.org/vuls/id/602204

IBM eServer and Cisco are still listed as unknown.

Lack of software freedom is bad.

[jbn-o]

Lots of patches and OpenSource = GOOD!
Lots of patches and M$ = BAD!

Actually, it is the lack of software freedom that is bad. You can't understand the value of software freedom unless you look at who may make and distribute the patches and who can not. With proprietary software no matter how talented a hacker you are you can't fully inspect or modify the software installed on your computer.

With free software, how much you can inspect, modify, and share code depends on your situation (often how much time and effort you put into developing code). I wouldn't want to buy a car only one garage could fix, I wouldn't want to be limited to one electrician or plumber for my house. I don't want to be limited to one organization for getting improvements to the software I depend on.

nope

They mean the problem has to be with pam, that's the code related to pam, not the pam itself.

gasp

[Cat_Byte]

You mean the Windows version of putty is still secure and open source isn't? for shame! Go ahead anti MS fascists. Mod me down. If I had said it the other way around it would be +5 informative. I use both and the only reason I still use MS is because the programs I want to run won't run on *nix. They've had years to make it work and haven't yet even in beta. Make Quicken and my games work in *nix and my path to the dark side will be complete.

Re:gasp

Oh look an 100% factual statement modded down as troll because it showed an instance where Microsoft had a compatible client better than the alternative one with a hole in it. This moderator needs to be kicked off slashdot.

"safe" [Re:OpenBSD]

[Bernie]

To say "you're safe" without qualification is surely tempting fate. I'm pretty sure the crackers out there take more satisfaction in breaking software backed by such arrogant, bullish claims!

"safe wrt this bug" would be more appropriate.

You know....

[cREW+oNE]

With windowsupdate you at least have a single place to download these patches...

(Woops... there goes my karma!)

Re:As usual....

[beezly]

Ahem, I hate to point it out, but the debian stable release of the ssh package isn't even vulnerable. What's wrong with backporting fixes? It seems to be good enough of for Apple and Sun.

RE: New vulnerabilities

[Loconut1389]

As far as I know, 3.7.1p2 was available when all these vulnerabilities were first mentioned a while back. The first thing i downloaded was 3.7.1p2.. So I dont think this is new news.

Also, been having problems with 3.7.1p2 on Solaris 9. Doesnt seem to matter which libwrap i compile against (using configure --with-tcp-wrappers), it seems to have trouble parsing hosts.allow.

example file:
ALL: 127.0.0.1
sshd: 123.231.213.1 123.231.213.2 123.231.213.3
ALL: PARANOID: DENY
ALL: ALL: DENY

ALL: ALL: DENY gets parsed as ALL: ALL and accepts connections from anywhere
Removing that line then denies all connections. making sshd: ALL opens it up to everything again.. sshd: 123.231.213.1 by itself doesnt work, sshd: IP IP IP (list of ips as above) doesnt work... sshd: hostname or sshd: hostname hostname hostname etc doesnt work....

been dealing with this since the release... anybody have this problem?

What happened?

[SnowZero]

Why has OpenSSH seemingly become the new WuFTPd? I guess on the bright side it *is* getting more secure now.

Automatic Updates

[Risto]

in a properly set up mandrake box making sure
the below two lines get run once a day takes care of the problem

urpmi.update update_source
urpmi --update --auto --auto-select

what is the windows equivalent?
set windows update to automatically download and install patches for you

the odds of an automatic update screwings things up are laughably minuscule, compared to leaving your box unpatched