OpenSSH 3.4
Posted Jun 27, 2002 14:41 UTC (Thu) by
garloff (subscriber, #319)
Parent article:
OpenSSH 3.4
The whole process of keeping the problem secret towards Linux
distributors and publishing the vulnerability without prior
notification of the distributors can at best be be given the
label "poor handling". The Linux distributors were forced to
upgrade to the PrivSep enabled openssh-3.3 despite some un-
resolved issues with that feature and despite the fact the
the time did not allow for proper testing.
Now, it turns out that most Linux distributors are not affected
by this vulnerability in the default configuration as most did
not compile S/Key or BSDauth support in. And no distribution
and only few admins will have enabled the PAMAuthenticationViaKbdInt
which is off by default.
Still, the distributors had no choice as they did not know.
Except for Alan, maybe, whose reaction towards Theo from the
backward perspective now seems justified and reasonable.
One could speculate that Theo could not stand the thought that
only OpenBSD and not Linux would be affected, when OpenBSD is
allegedly so much more secure than the Linux versions out there.
So he made the Linux distros spread uncertainty to their customers
as well and -- nice side-effect -- force them into a design that
he considers (and which probably is) more secure but which has not
yet received enough test coverage.
He was successful: The Linux distros shared the mess around the
vulnerability with him; despite the fact that most were not even
affected.
Excellent service to Microsoft! Thanks, Theo!
And I'm not even speaking of the thousands of security aware
admins and security people at distributions that he made nervous
and who have missed some hours of sleep.
And to confirm Alan: We don't trust you Theo! Never again!
(
Log in to post comments)
