June 26th, 2002

Danger Mouse

Theo can bite me. [or OpenSSH "vulnerability"]

I will admit from the start, that Theo de Raadt annoys me. I've seen and participated in e-mail discussions with him before, and I've nearly never seen a pleasant discussion where he's involved. I don't like him.

However, the whole thing with the recent OpenSSH security vulnerability really annoys me. His poor handling of the "exploit" has cost a lot of people a great deal of time, effort, and hard work, and for many of us, unnecessarily so.

Here are the basic facts, as I understand them:
  • All versions of OpenSSH < 3.4 are vulnerable to exploit. (Rumor has it that versions prior to 3.0 are not vulnerable, but I've not been able to verify this.)

  • Theo de Raadt has been telling everyone that they must upgrade to OpenSSH 3.3 immediately, while admitting that this does not fix the security hole (it does reduce the impact it has, though).

  • Theo (falsely) claimed that there was no patch or fix available for this security exploit, and wouldn't be until a new release of OpenSSH was released.

  • Thousands of people were left with very little information, and were forced to spend the time and effort to protect their systems, upgrade OpenSSH, then test and verify it. Additionally, OpenSSH 3.3 has known bugs on many platforms (compression doesn't work on all operating systems, including Linux 2.2.x kernels, PAM support isn't complete, and breaks on many systems, etc).

  • The claim that all systems making use of OpenSSH < 3.4 are vulnerable is untrue.

  • The vast majority of systems out there using OpenSSH are in fact not vulnerable by the default setup. (Although, OpenBSD is. It's also the only major distribution that is is vulnerable.)

  • Your OpenSSH installation is only vulnerable to this security problem if you have RSA based rhosts authentication turned on, AND you have S/KEY authentication turned on. Both of these options must be compiled in and enabled (most default setups leave both of these disabled, even if compiled in)

  • You can ensure that your systems are safe and secure from this bug simply by editing the sshd_config (in /etc/ or /etc/ssh/), and adding the directive: ChallengeResponseAuthentication no, or if you already have that directive listed, change it to no. That's correct, no additional patching or upgrades are needed.

  • As far as I can tell, the only real reason that Theo didn't release this fix sooner, was so that he could ram his Privilege Separation feature in OpenSSH >= 3.3 down our throats. While I think this is a good feature in the long run, I seriously dislike running a program, especially one like ssh, that was released less than a week ago, on a production server. Especially when there are known bugs with it. I doubt all of these bugs have been fixed in OpenSSH 3.4.

I hope I haven't annoyed everyone too much with this little rant, but a someone who spent a considerable amount of time upgrading half a dozen machines in the past two days, only to find out that none of them were ever even vulnerable to this exploit, I'm really pissed off.

[Note: This was cross-posted to a couple of places, and I apologize if you see it more than once. I know it's a rant, but my main purpose for writing it was to distribute information on the OpenSSH vulnerability, and how to fix it, so that no one gets bit by the exploit. If anyone feels I shouldn't have posted it as I have, please let me know and I'll refrain from doing so next time.]
  • Current Music
    Iron Maiden - Rime of the Ancient Mariner