|
|
Subscribe / Log in / New account

OpenSSH 5.4 released

OpenSSH 5.4 released

Posted Mar 8, 2010 17:27 UTC (Mon) by lkundrak (subscriber, #43452)
Parent article: OpenSSH 5.4 released

* Disable OOM-killing of the listening sshd on Linux. bz#1470
I'm wondering what sense does this make. Turning off a feature that would kill sshd once it goes mad and eats up all the memory and kill everything else instead? Or do they assume the oomkiller to be that stupid?

to post comments

OpenSSH 5.4 released

Posted Mar 8, 2010 17:36 UTC (Mon) by ewan (guest, #5533) [Link]

Oftentimes it is that stupid, and can make a bad situation considerably worse by cutting off any hope you might have had of SSHing in and fixing the actual problem.

OpenSSH 5.4 released

Posted Mar 8, 2010 20:30 UTC (Mon) by drag (guest, #31333) [Link] (4 responses)

As far as OpenSSH is concerned, specifically, the chances of sshd flipping out and using all your
ram is much much less then having other applications flip out and use all your RAM and having
OOM kill off sshd.

For most uses of Linux killing off sshd would have a similar effect of killing up 'getty' on a local
console. OOM Killer operating in this manner is effectively like having the Linux kernel perform
it's own denial service attack on userland.

OpenSSH 5.4 released

Posted Mar 9, 2010 1:43 UTC (Tue) by BrucePerens (guest, #2510) [Link]

Remote servers without dedicated remote consoles are a lot cheaper than the other kind. Only $30 to $70 per month for a pretty good server. Of course I have them set to reboot if sshd dies, or if they can't reach their router.

OpenSSH 5.4 released

Posted Mar 9, 2010 23:26 UTC (Tue) by herodiade (guest, #52755) [Link] (2 responses)

> the chances of sshd flipping out and using all your ram is much much less

Also note protection is on the _listening_ sshd (that's not a whole lot a code ; not the user's child processes for instance).

With regard to the new certificate format, does anyone here knows why X.509 doesn't fit well for SSH?

Someone maintains a patchset to include support for X.509 certificate here http://roumenpetrov.info/openssh/ ; I can see some benefit with that from an end-user perspective (mostly, reusing existing tools for pki management, certificates revocations lists, etc).

OpenSSH 5.4 released

Posted Mar 9, 2010 23:56 UTC (Tue) by djm (subscriber, #11651) [Link] (1 responses)

I chose to avoid X.509 mostly because it is complex in encoding (ASN.1) and
semantics. Consider the number of ASN.1 related bugs that OpenSSL and other
implementations have suffered from - the fact that nobody gets this right is
a good signal that it is overly complex. Unfortunately, key/cert parsing and
validation is by necessity in the critical pre-authentication attack surface
of sshd, so bugs there are particularly nasty and could be used to write
worms.

The OpenSSH certificate format uses existing SSH signature formats and wire
encoding primitives, so all of that code is reused. Also, because these
certificates are not tied into such a heavyweight and hierarchical model of
identity, the the semantics of certificates and the workflow of creating
them is much simpler.

OpenSSH 5.4 released

Posted Mar 12, 2010 13:53 UTC (Fri) by BSchuller (guest, #64336) [Link]

Hi,

X.509 may be complex, it is widely used, and many
X.509 based infrastructures exist. Therefore, introducing a
home-grown version of X.509 requiring admins to effectively
run their own CA is hard to understand.
I think it would be a very good move if X.509 could be
supported in OpenSSH. Admins who think the security risk is
too high can always opt-out.

Best regards,
Bernd.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds