|
|
Subscribe / Log in / New account

A backdoor in xz

A backdoor in xz

Posted Mar 30, 2024 8:18 UTC (Sat) by DimeCadmium (subscriber, #157243)
In reply to: A backdoor in xz by Cyberax
Parent article: A backdoor in xz

Gross, selinux; pretty sure UsePAM is also a patch (and it can at least be disabled in the config). The question though is not "what pulls it in" but rather "what pulls it in without adding value" because that's how you get lists of 100s of deps, any one of which is vulnerable to an attack like this.

to post comments

A backdoor in xz

Posted Mar 30, 2024 10:54 UTC (Sat) by khim (subscriber, #9252) [Link] (1 responses)

> The question though is not "what pulls it in" but rather "what pulls it in without adding value"

Each patch add value to someone, or it wouldn't have existed. Sshd without PAM would be 100% useless to me because all machined that I use ssh with use authentication not supported by stock Debian.

Similarly someone who needs to pass certain certification needs selinux and so on.

That's the flip side of the story which made available open source in the first place: we have millions of users and even if 0.01% of them are developers it's enough to produce software for free.

Remove all that “crap” and suddenly there are not enough developers to drive that thing forward because there are not enough users.

There are no easy solution for that problem, unfortunately.

A backdoor in xz

Posted Mar 31, 2024 1:27 UTC (Sun) by DimeCadmium (subscriber, #157243) [Link]

There's a difference between adding value to 1 person and adding value to everyone who uses some software, for example.

A backdoor in xz

Posted Mar 30, 2024 19:32 UTC (Sat) by Cyberax (✭ supporter ✭, #52523) [Link] (5 responses)

PAM still has value, it's still very useful for auditing and custom authentication in special environments.

These days, PAM can be mostly replaced by ephemeral SSH certificates for authentication. But it's still useful for auditing.

A backdoor in xz

Posted Mar 30, 2024 21:25 UTC (Sat) by apoelstra (subscriber, #75205) [Link] (3 responses)

I use pam_u2f extensively on my personal computers to use a Yubikey to authenticate my login and screenlocker. This usecase can't be replaced by ephemeral SSH certs because the goal is to talk to a physical U2F key which only speaks U2F.

A backdoor in xz

Posted Mar 31, 2024 0:47 UTC (Sun) by Cyberax (✭ supporter ✭, #52523) [Link] (2 responses)

Is it for interactive logins or for SSH? It's definitely still needed for interactive logins, but they are also much less troublesome. But I don't think SSH needs them.

A backdoor in xz

Posted Mar 31, 2024 16:54 UTC (Sun) by apoelstra (subscriber, #75205) [Link] (1 responses)

Ah, yes, only for interactive logins. For SSH I use GnuPG's ssh-agent emulation support, whose mechanism I don't really understand.

A backdoor in xz

Posted Mar 31, 2024 18:51 UTC (Sun) by Cyberax (✭ supporter ✭, #52523) [Link]

ssh-agent (or its emulation) is basically just the public key authentication.

PAM was useful for custom authentication, such as LDAP-based auth or something similar. These days a fairly typical workflow is to use some kind of a daemon/utility on the developer's machine to get a temporary SSH certificate, and then just use this certificate to log in using the SSH.

A backdoor in xz

Posted Mar 31, 2024 1:27 UTC (Sun) by DimeCadmium (subscriber, #157243) [Link]

Leftpad still has value, it's very useful for padding the left side of a string when you're too lazy to write 2 lines of code.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds