|
|
Subscribe / Log in / New account

A backdoor in xz

A backdoor in xz

Posted Mar 29, 2024 20:09 UTC (Fri) by diegor (subscriber, #1967)
In reply to: A backdoor in xz by mussell
Parent article: A backdoor in xz

> Genuinely surprised that's there's no project to replace OpenSSH in a memory safe language that is designed around the OS that everyone actually uses.

Windows? Not trolling, but just trying to make a point...

to post comments

A backdoor in xz

Posted Mar 29, 2024 20:30 UTC (Fri) by intelfx (subscriber, #130118) [Link] (5 responses)

>> Genuinely surprised that's there's no project to replace OpenSSH in a memory safe language that is designed around the OS that everyone actually uses.
>
> Windows? Not trolling, but just trying to make a point...

Perhaps we could amend that to "<...> around the OS that everyone actually uses OpenSSH on"?

A backdoor in xz

Posted Mar 29, 2024 22:43 UTC (Fri) by magfr (subscriber, #16052) [Link] (4 responses)

Windows.
OpenSSH is part of Windows 10+
You can finally open up cmd and type ssh user@system and the right thing happens.

A backdoor in xz

Posted Mar 29, 2024 23:59 UTC (Fri) by skissane (subscriber, #38675) [Link]

Most Windows users never use OpenSSH.
Vast majority of Windows installs have the OpenSSH server disabled.

And a lot of Windows users who actually do use an SSH client aren't using the bundled OpenSSH client – they are using PuTTY, or Cygwin/MSYS2 OpenSSH, or WSL OpenSSH, or one of a dozen other open source and proprietary Windows SSH clients.

I really doubt use of Windows bundled OpenSSH is greater than OpenSSH use on Linux (which includes WSL)

A backdoor in xz

Posted Mar 30, 2024 3:51 UTC (Sat) by ibukanov (subscriber, #3942) [Link]

Like 3 years ago I lost a few hours after trying Windows-bundled ssh. During git clone or pull it sometimes stopped working.

A backdoor in xz

Posted Mar 30, 2024 7:04 UTC (Sat) by intelfx (subscriber, #130118) [Link]

> Windows.
> OpenSSH is part of Windows 10+
> You can finally open up cmd and type ssh user@system and the right thing happens.

That's not the openssh _daemon_. And it's not the OS everyone *uses* openssh on.

A backdoor in xz

Posted Mar 30, 2024 7:47 UTC (Sat) by jem (subscriber, #24231) [Link]

Last time I checked, OpenSSH on Windows was a joke. Microsoft is doing a half-hearted job with the Windows port. It typically lags a few versions behind, and they don't even bother to write their own documentation, but instead refer to the man pages of the upstream version. Microsoft uses the same version numbering, for example calling their version OpenSSH 8.2, even if they leave out features at will. For example, the last Windows version I checked completely lacked support for PKCS11 (smart cards). The -I option was not recognized.

Also, if you wanted to use ssh agent, you had to install the SSH server, because ssh agent was bundled with the server package, not the client package, showing a complete lack of understanding of what the role of ssh agent is.

A backdoor in xz

Posted Mar 30, 2024 8:14 UTC (Sat) by niner (subscriber, #26151) [Link] (5 responses)

There are a lot more Linux boxes than Windows boxes. It's just that a lot of them are virtual and there are more non-desktop than desktop ones.

A backdoor in xz

Posted Mar 30, 2024 9:39 UTC (Sat) by geuder (subscriber, #62854) [Link] (4 responses)

Really? I mean Linux boxes having a stable, public IPv4 address and exposing sshd. Not counting Android and other embedded stuff.

I have no statistics whatsoever at hands. On one side it sounds unbelievable that you need more servers than people to serve. On the other hand computing has become such a waste of resources that I wouldn't be too surprised if you were correct.

A backdoor in xz

Posted Mar 30, 2024 9:52 UTC (Sat) by niner (subscriber, #26151) [Link] (1 responses)

Why not count embedded stuff? From Wifi routers to TVs to security cameras to light bulbs, they are running Linux and compromising them can give you a foot hold in a network.
Then of course there are millions and millions of systems comprising the cloud.

A backdoor in xz

Posted Mar 30, 2024 12:55 UTC (Sat) by geuder (subscriber, #62854) [Link]

In general yes. But I thought here we were discussing the concrete attack to get a backdoor into sshd.

I don't think a lot of those systems listen to the internet using sshd.

Of course with the hundreds of commits by the maintainer account in question it's not impossible that sshd is only the first attack vector found and there are also others.

A backdoor in xz

Posted Mar 30, 2024 13:24 UTC (Sat) by pawel44 (guest, #162008) [Link] (1 responses)

You need Linux servers to scan the web for Windows viruses. Furthermore, if we count Android the answer is clear.

A backdoor in xz

Posted Mar 30, 2024 14:39 UTC (Sat) by smurf (subscriber, #17840) [Link]

On the other hand, stock Android doesn't run a ssh server.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds