Merry Christmas from FreeBSD [LWN.net]

The FreeBSD security team has sent out a holiday card of sorts to its users. "No, the Grinch didn't steal the FreeBSD security officer GPG key, and your eyes aren't deceiving you: We really did just send out 5 security advisories." The motivating factor appears to be this vulnerability in telnetd; anybody who exposes a telnet port to the net on FreeBSD is currently open to a remote root exploit. The number of LWN readers doing so must be tiny (if, indeed, it's nonzero), but it seems worthwhile to get the word out there anyway.

to post comments

Merry Christmas from FreeBSD

Posted Dec 23, 2011 20:39 UTC (Fri) by mikov (guest, #33179) [Link] (15 responses)

Telnet is not as rare as we may think.

I recently encountered a couple of relatively important companies (which shall remain unnamed, sadly) selling and using Linux software, who to my utter shock were using Telnet pervasively and were mostly unaware of ssh. Perhaps this isn't surprising given that they also (ab)used VNC for remote access to Linux workstations.

This is not exactly related to FreeBSD, but here goes: Linux has gained a lot of ground, especially in the embedded arena, but with that also comes a lot of incompetence, and it is staggering. It is a far cry from what we might imagine on LWN. Merging with the mainline kernel - pfffft - nobody is even aware of a "mainline" or even "kernel". GPL - never heard of it. Some people actually do believe that you do not have to follow the GPL if you pay some amount of money to "Linux". WTF? It is all a disgusting mess of binary drivers and GPL violations.

Lastly, nobody actually uses Linux for development. Embedded software is developed on Windows with Visual Studio (not even Cygwin - nobody has heard of Cygwin) and only occasionally tested on Linux (in a VM of-course - Linux on actual hardware is scary). Binaries, shared libs, configuration files and even logs are all stored in the same directory in true Windows fashion. Of course shared libs exist multiple times (.so, .so.1, .so.1.2, etc) because nobody knows about symbolic links and they copied the files with Windows Explorer.

I am truly depressed. I hope I have observed an exception, but I doubt it.

On the bright side, it means more job security LWN readers :-)

Merry Christmas from FreeBSD

Posted Dec 23, 2011 21:25 UTC (Fri) by jd (guest, #26381) [Link] (8 responses)

I've seen similar across other Linux-using companies. Awareness isn't what it [c|sh]ould be. However, the problem isn't limited to Linux. I've seen plenty of *BSD admins advocate telnet.

Probably one of the scariest situations was where an organization who shall not be named refused to run SSH but used RSH with .hosts files because that was "more secure". I spent about a week sobbing into my beer.

Merry Christmas from FreeBSD

Posted Dec 23, 2011 23:00 UTC (Fri) by mordae (guest, #54701) [Link] (7 responses)

I usually run away. And learn that it's the same s... over there as well.

Seriously, do people screw up this much in other areas as well? Or is it IT specific?

Merry Christmas from FreeBSD

Posted Dec 23, 2011 23:28 UTC (Fri) by jd (guest, #26381) [Link] (2 responses)

It seems pretty universal. I've seen similar... phenomena in many other fields. The Guardian newspaper over in the UK did a series of articles on risk assessment and achievement assessment, which claimed to show that people are bad at both.

To bring this back to IT, it does demonstrate (to me, anyways) that we do need something analogous to Formal Methods. We need objective tools and techniques for ensuring the correctness of what is done meets the desired standard. Formal Methods are not much used because they are difficult to use well and transfer almost the entire effort into getting things right the first time.

(Consider how long it takes a project in Linux to go from first idea to an ultra-stable form, along with all the developers and testers it needs to do that. Now make that the up-front cost before anything is released at all.)

Merry Christmas from FreeBSD

Posted Dec 24, 2011 8:07 UTC (Sat) by mordae (guest, #54701) [Link]

Yeah, we need to fix the insane hunt for low costs first. :-\

Merry Christmas from FreeBSD

Posted Dec 24, 2011 9:27 UTC (Sat) by oldtomas (guest, #72579) [Link]

[...] it does demonstrate (to me, anyways) that we do need something analogous to Formal Methods.

I respectfully disagree. Formal Methods is a tool. What we need is education and culture.

Tools without the corresponding culture tend to evolve into monstrous red tape generators. Have you witnessed an Agile Team in a big corp lately?

People have to understand and approve the tools they use.

Merry Christmas from FreeBSD

Posted Dec 24, 2011 17:21 UTC (Sat) by dsimic (guest, #72007) [Link] (1 responses)

It shouldn't be specific to the IT. People are just lazy / stupid and don't see
the difference in doing something the right or the wrong way.

And it's much harder to spend a lot of time doing something the right way.
And it leaves much less time for posting s**t on Facebook. ;)

Merry Christmas from FreeBSD

Posted Dec 26, 2011 16:19 UTC (Mon) by Trelane (guest, #56877) [Link]

> And it's much harder to spend a lot of time doing something the right way.
> And it leaves much less time for posting s**t on Facebook. ;)

Funny because it's true:
http://www.despair.com/proc24x30pri.html

Merry Christmas from FreeBSD

Posted Dec 25, 2011 8:56 UTC (Sun) by elvis_ (guest, #63935) [Link] (1 responses)

I am a long time linux user but don't work in the IT field, I can assure you it is universal. I explain it to my business partner (who is somewhat of a perfectionist) by... remember all those kids who were dumb as a box of hammers in school, they all have jobs and some of them are in charge!!!! deal with it.

Apologies in advance to those in advance to those with learning difficulties and the smart who were just plain bored, I didn't mean to offend you... and both of you should be able to work out the meaning anyway.

Merry Christmas from FreeBSD

Posted Dec 28, 2011 14:17 UTC (Wed) by steffen780 (guest, #68142) [Link]

Very good explanation!

Merry Christmas from FreeBSD

Posted Dec 24, 2011 4:45 UTC (Sat) by jmalcolm (subscriber, #8876) [Link] (4 responses)

I have also been surprised.

Just recently I decided to pursue formal certification on Cisco equipment. Modern Cisco routers and switches support SSH but it has to be setup. Telnet is the default.

What really surprises me though is that the Cisco training community uses Telnet heavily. The instructors in online courses Telnet around even after they show how to setup SSH. The craziest thing I have seen is companies that rent "rack-time", which is network access to real Cisco gear, using Telnet as the access method. Not only are they promoting Telnet as a standard practice to up-and-coming Network Engineers, they are trusting their business to it.

Given that I have always insisted on SSH even when logging into my home server or internal-only web servers, I was pretty surprised to find Telnet used so pervasively.

Cue for OpenWRT

Posted Dec 24, 2011 14:34 UTC (Sat) by proski (guest, #104) [Link]

Perhaps OpenWRT should ban telnetd and use ssh from the beginning, even without a password, so that nobody is exposed to using telnet, even temporarily.

Merry Christmas from FreeBSD

Posted Dec 26, 2011 0:32 UTC (Mon) by oblio (guest, #33465) [Link] (2 responses)

At least where I studied for the CCNA exams, they did use telnet.
*But* every time it was through a VPN connection. So telnet didn't really matter much, except for intranet password sniffing, maybe (IMO a much smaller risk).

Now that I think of it, there was a report about most company thefts being perpetrated by employees, so it would be a good idea to use SSH through VPN too :)

Merry Christmas from FreeBSD

Posted Dec 26, 2011 16:44 UTC (Mon) by jmalcolm (subscriber, #8876) [Link]

Yes, I have seen telnet used on a VPN but this is not a problem as you say. I have also seen it used on the open Internet as well. Crazy town.

In a training environment though, I am surprised they do not stress the use of SSH purely as an educational point.

Then again, the only Cisco training I have been exposed to used 'cisco' as the password on all devices. So, clearly convenience was trumping any demonstration of security best-practices in general.

Merry Christmas from FreeBSD

Posted Dec 26, 2011 16:45 UTC (Mon) by drag (guest, #31333) [Link]

If you want to try to prevent employee fraud your best bet is to monitor and log their activities on the company provided workstation.

Merry Christmas from FreeBSD

Posted Dec 25, 2011 11:45 UTC (Sun) by Ben_P (guest, #74247) [Link]

The remote management for consumer 'high speed' modems on Time Warner in Central NY are also all over telnet. Raw unencrypted telnet over the wire. SSH is disabled by default but can be enabled by level 3 service techs.

For what it's worth, my modem was reporting an 8-10 year old version of OpenSSH with known remote vulnerabilities after the tech left it running.

Merry Christmas from FreeBSD

Posted Dec 24, 2011 22:44 UTC (Sat) by janfrode (subscriber, #244) [Link]

I think the most scary issue here is if all the juniper routers/firewalls running junos (based on freebsd) is also vulnerable. For some reason network admins seems to still use telnet a lot.. Also NetApp, Isilons and many more devices based on freebsd might be vulnerable. So this hole could be big.

Merry Christmas from FreeBSD

Posted Dec 26, 2011 16:40 UTC (Mon) by Cyberax (✭ supporter ✭, #52523) [Link]

A couple years ago I tried to nmap the whole Net for the open telnet ports. I found around 10 million devices which is a bit scary, since quite a good percent of them were Cisco/Juniper routers.

Merry Christmas from FreeBSD

Posted Dec 27, 2011 8:37 UTC (Tue) by ekj (guest, #1524) [Link] (7 responses)

The FreeBSD-guys use *CVS* to manage their files ?

I'd say that's almost as bad as having a telenetd open to the intertubes. Both are practices that are atleast a decade overdue for a upgrade.

Merry Christmas from FreeBSD

Posted Dec 27, 2011 9:22 UTC (Tue) by fperrin (subscriber, #61941) [Link] (5 responses)

The primary repository is Subversion (note the indication of SVN tags in the announcement).

CVS and Perforce mirrors are maintained. The recommended way for sysadmins who want to get the source is to use CVSup, which relies on CVS under the hood (of course, devs and people who follow HEAD use SVN directly).

Merry Christmas from FreeBSD

Posted Dec 27, 2011 11:58 UTC (Tue) by rahulsundaram (subscriber, #21946) [Link] (4 responses)

They should just use Git and drop the mirrors. Even DragonflyBSD does.

*BSD vs Linux

Posted Dec 28, 2011 7:51 UTC (Wed) by ldo (guest, #40946) [Link] (3 responses)

This seems to me symptomatic of the general difference in philosophy between *BSD and Linux distros: Linux distros are decentralized, modular efforts, with hundreds, nay, thousands, of separate projects for the separate parts that go into a major-league distro. The use of decentralized Git for core components like the kernel fits in with this philosophy.

Whereas the BSDs are centralized projects, which even when they make use of code from other projects, prefer to have their own copies of that code in their centralized repository. Hence their preference for a centralized VCS like Subversion.

*BSD vs Linux

Posted Dec 28, 2011 9:23 UTC (Wed) by k8to (guest, #15413) [Link] (2 responses)

Great, but you can use git that way too.
There's nothing about git that says you can't have one central truth where everything has to go.

*BSD vs Linux

Posted Dec 28, 2011 11:05 UTC (Wed) by rahulsundaram (subscriber, #21946) [Link]

Exactly. The *other* benefits of using git like performance makes it worth the effort to switch even when projects are being developed in a central fashion, which is why I explicitly mentioned a BSD flavor using it already. There are dozens of other examples. So thats a poor rationale.

*BSD vs Linux

Posted Dec 31, 2011 21:30 UTC (Sat) by gvy (guest, #11981) [Link]

Last time I checked [with peter@fbsd], it was some emotional ***ching about how they're different...

Merry Christmas from FreeBSD

Posted Dec 28, 2011 21:53 UTC (Wed) by AnthonyJBentley (guest, #71227) [Link]

The difference being that using telnet is fundamentally insecure, while CVS just uses an outdated way of thinking about source control.

That said, there is a slow move away from CVS, even in the BSD world. FreeBSD has been using Subversion for years. DragonFly BSD has been using Git (including their own Git mirror of pkgsrc). NetBSD is moving to Fossil.

OpenBSD had been working on their own CVS implementation, OpenCVS, but that work has basically stalled. The package maintainers are gradually moving to Git, though.

But changing repositories should be done slowly and carefully, especially for large projects. LWN even had a good article describing Postgresql’s conversion.

Telnet just sucks from a usability standpoint!

Posted Dec 28, 2011 1:45 UTC (Wed) by madscientist (subscriber, #16861) [Link] (1 responses)

If you can't get people to switch for security reasons, you'd think you'd be able to get them to switch for usability reasons. Telnet is painful in the extreme to use for anything but live, interactive sessions. Bah. Ssh is so much simpler to use, and has so many more capabilities, that it's a no-brainer even leaving security aside (which, of course, should be enough for everyone anyway).

Telnet just sucks from a usability standpoint!

Posted Dec 28, 2011 13:19 UTC (Wed) by paulj (subscriber, #341) [Link]

Windows ships with a telnet client, but not an SSH client. Also, many devices (e.g. IOS based ones) ship with telnet servers installed, but not SSH. That's why telnet is still used.

Merry Christmas from FreeBSD

Posted Jan 6, 2012 13:50 UTC (Fri) by wookey (guest, #5501) [Link] (3 responses)

I've had quite a recent situation where telnet did the job and ssh didn't:
Connecting to a newly-imaged board as part of the programming process.

You can do it for one board with ssh using a pre-generated key in the image, but then each subseqent board generates a 'Help the other end of the connection has changed - refusing to connect'. So far as I could tell there is no way to tell ssh not to do that, so it was entirely useless.

Telnet just worked, and in this case was being used on an internal wired network, firewalled by the programming machine so the use of cleartext logins really didn't matter.

And telnet is still a really useful testing tool for checking out if a port/service does what you expect. Sometimes nc will do instead but telnet is generally more convenient.

Merry Christmas from FreeBSD

Posted Jan 6, 2012 14:06 UTC (Fri) by amonnet (guest, #54852) [Link] (2 responses)

Theses ssh options might help :

-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no

+++

Merry Christmas from FreeBSD

Posted Jan 6, 2012 14:19 UTC (Fri) by wookey (guest, #5501) [Link]

Realy? That's it? I tried the NoStrictHostKeyChecking thing, but not the null hosts file. You wouldn't believe how many hours I wasted not-discovering that, when all I had to do was wait a couple of years for an opportunity to ask on LWN :-)

Merry Christmas from FreeBSD

Posted Jan 6, 2012 16:39 UTC (Fri) by raven667 (guest, #5198) [Link]

You should also be able to just remove the cached key entries from ~/.ssh/known_hosts or make the known_hosts file read-only so that new public keys aren't cached. That's what I've done before to handle provisioning networks where one sees new host keys for the same IPs all the time.