upcomming OpenSSH vulnerability will be to run OpenSSH-3.3 with the Privilege
Separation enabled.
This scares the daylights out of me! Think about what you are doing here.
(1) OpenSSH 3.3 with the privsep code has been only out for less then a week.
(2) Its hundreds of lines of code.
(3) The privsep does not run on all platforms
(4) The privsep does not work with all the features in current ssh.
(5) The privsep code has SSHD using here-to-for unused operating system
features.
(6) People with local modifications to SSH may not be able to
integrate them in such a short time frame.
Don't get me wrong, the privsep concept looks like a great idea, as a second
line of defense. But it should not be the primary defense.
A fix is needed for the original bug. You still need it to keep the hackers
off the machine. Saying that they are confined to the unprivileged child process
still lets then have access to cycles and the network where they can try and
attack the operating system and your network from inside.
The other aspect of this is the reliability of 3.3. With all the new code
what other problems might be introduced?
If you publish the problem, with out a real fix, and expect everyone to
implement 3.3 with privsep you will have a lot of people upset who can't run
3.3 or
can't run the privsep code. These people will be left out in the cold.
You need to provide a universal fix for all, not a partial fix for only some.
Thanks for listening.
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
