Slashdot Mirror

← Back to Stories (view on slashdot.org)

The OpenSSH Bug That Wasn't

Posted by timothy on from the or-only-kind-of-is dept.

badger.foo writes: Get your facts straight before reporting, is the main takeaway from Peter Hansteen's latest piece, The OpenSSH Bug That Wasn't. OpenSSH servers that are set up to use PAM for authentication and with a very specific (non-default on OpenBSD and most other places) setup are in fact vulnerable, and fixing the configuration is trivial.

3 of 55 comments (clear)

  1. Spoiler by bobstreo · · Score: 5, Informative

    According to the article, it's a bug in PAM.

    You shouldn't see this behaviour with SSH unless you have PAM authentication turned on. And apparently only in FreeBSD ?

      And as OpenBSD developer Marc Espie says in his message,

            Not surprisingly, as the patch clearly shows, the problem is right smack in the middle of USE_PAM code.

            I wouldn't call that an OpenSSH bug. I would call it a systemic design flaw in PAM. As usual. LOTS of security holes in authentication systems stem from PAM. Why ? Because that stuff is over designed. Difficult to configure. Gives you MORE than you need to hang yourself several times over. It's been that way for as long as I can remember.

  2. No it's a bug in OpenSSH by pavon · · Score: 3, Informative

    It is a bug in OpenSSH misusing PAM. They argue that these sorts of bugs wouldn't be as easy to make if PAM was less complicated, which is certainly true, but it is still a bug in OpenSSH.

  3. Re:I love the attitude by Anonymous Coward · · Score: 2, Informative

    Explain to me how having to guess a username AND a password during a bruteforce attempt is the same as already knowing and being able to log in as a uid=0 user (root) and just having to bruteforce the password.
    "No security benefit at all" != makes my life more difficult because I have to learn how to use su and leave audit trails and unique users in my sloppy throwing code around developer life.