Quoting Ian C. Sison ([EMAIL PROTECTED]): > You might want to read this: (from LWN.NET)
Yes indeed! > Theo de Raadt has announced a vulnerability in OpenSSH. "There is an > upcoming OpenSSH vulnerability that we're working on with ISS. Details > will be published early next week." The latest version, 3.3, does not > specifically fix the problem, but it creates an environment in which the > bug may not compromise your system. While waiting for the actual fix, you > may want to upgrade to 3.3. > > > =================================== > > Note to all that the PrivSep feature of 3.3 does not work with compression > enabled (the default) ON KERNEL 2.2.x; You need to turn of compression for > it to work. Be warned! Updating a remote openssh, kernel 2.2. system with > both privsep and compression enabled will make the ssh server bomb out and > the result is you will loose the ability to connect to the remote ssh > server, which means... For whatever it's worth, here's what I recently posted on the subject (slightly corrected to fix an omission): From rick Mon Jun 24 20:02:23 2002 Date: Mon, 24 Jun 2002 20:02:23 -0700 To: [EMAIL PROTECTED] Subject: OpenSSH security hole, announced Monday 2002-06-24 We're in a strange and somewhat unpleasant situation with OpenSSH: http://archives.neohapsis.com/archives/openbsd/2002-06/2079.html Summary: Theo de Raadt of the OpenBSD Foundation (sponsors of the portable OpenSSH version we use on Linux) warns that there's a vulnerability in _all_ current OpenSSH daemon code, but that he can't release details yet. Details will come out in about a week. Theo recommends that everyone upgrade to the current 3.3p release anyway, because of an unrelated but useful -- yet problematic -- feature it supports called "privilege separation". Implementing his suggestion means upgrading, then adding a new line to /etc/ssh/sshd_config and restarting the daemon. My comments: Traditionally, OpenSSH runs as an SUID-root binary, forking off multiple copies as required. The new feature runs a base copy as root, but most of the code runs as a non-root user, inside a chroot jail. Thus, any remote exploits of the exposed code are less likely to cause damage, as attackers will also face the separate problem of escalating privilege and breaking out of the chroot jail. The problem is that (1) de Raadt says enabling privilege separation "may break some ssh functionality". de Raadt mentions PAM as a possible problem area, and some have interpreted this as meaning that priv sep breaks PAM. _But_ understand that de Raadt is just generically anti-PAM: Nothing he's said has claimed specific breakage in that area. (2) Since priv sep is very new code, it might not work as designed. (3) The implication of all this is that the bad guys _may_ already have a not-publicly-known exploit and been using it for some time. I've been running 3.3p on my Debian-testing (3.0 = woody) systems -- and with priv sep enabled -- since this morning, with no problems so far. Note that Debian 2.2 (I think?) and later has used PAM. Sysadmins of Debian-testing systems should consider doing as I did: 1. Add this line to /etc/apt/sources.list to prospectively monitor the new-ish Debian-testing Security Team package updates archive: deb http://security.debian.org/ testing/updates main contrib non-free 2. Do "apt-get update ; apt-get dist-upgrade" to get the new versions. 3. Regrettably, because the Debian-testing Security archive puts security ahead of version sync, the above's updating of Mozilla will remove Galeon (if present). To get it back, retrieve the version 1.2.5 packages of galeon and galeon-common from ftp://ftp.debian.org/debian/pool/main/g/galeon/ Install using "dpkg -i". 4. Add this new line to /etc/ssh/sshd_config: UsePrivilegeSeparation yes 5. Restart sshd. Works for me<tm>. -- Cheers, The difference between common sense and paranoia is that common sense Rick Moen is thinking everyone is out to get you. That's normal; they are. [EMAIL PROTECTED] Paranoia is thinking they're conspiring. -- J. Kegler _ Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph To leave: send "unsubscribe" in the body to [EMAIL PROTECTED] To subscribe to the Linux Newbies' List: send "subscribe" in the body to [EMAIL PROTECTED]
