Date: Tue, 25 Jun 2002 22:53:04 +0400 From: Solar Designer <solar@...nwall.com> To: bugtraq@...urityfocus.com Cc: announce@...ts.openwall.com, owl-users@...ts.openwall.com, lwn@....net, Theo de Raadt <deraadt@....openbsd.org> Subject: Re: Upcoming OpenSSH vulnerability On Mon, Jun 24, 2002 at 03:00:10PM -0600, Theo de Raadt wrote: > There is an upcoming OpenSSH vulnerability that we're working on with > ISS. Details will be published early next week. > > However, I can say that when OpenSSH's sshd(8) is running with priv > seperation, the bug cannot be exploited. > > OpenSSH 3.3p was released a few days ago, with various improvements > but in particular, it significantly improves the Linux and Solaris > support for priv sep. However, it is not yet perfect. Compression is > disabled on some systems, and the many varieties of PAM are causing > major headaches. > > However, everyone should update to OpenSSH 3.3 immediately, and enable > priv seperation in their ssh daemons, by setting this in your > /etc/ssh/sshd_config file: > > UsePrivilegeSeparation yes Owl-current has been updated to include OpenSSH 3.3p1 with privilege separation enabled (and a patch to make that work on Linux 2.2 kernels which we continue to support). The updated source tree and packages went to the FTP mirrors by Monday. This stuff is, however, still being hacked on because of certain minor functionality problems that remain in this rushed release. Expect further updates in the following days and next week. It is strongly recommended that Openwall GNU/*/Linux (Owl) users update first to these 3.3p1-based privilege separated update packages and then to ones based on the upcoming OpenSSH releases. The details of the changes we apply will be documented in change logs for the OpenSSH package as well as in the system-wide change logs under Owl/doc/CHANGES in the native tree, also available via the web: http://www.openwall.com/Owl/CHANGES.shtml The SSH server used to be the only Internet service provided with Owl that didn't utilize privilege separation approaches. Now, thanks to the excellent work by Niels Provos, we are able to provide a system where all the Internet services are provided with privilege-separated implementations. That includes FTP, SMTP, POP3, Telnet, and now SSH. Those curious of how this all works may see our diagrams of the FTP, POP3, and Telnet servers in our CanSecWest/core02 / NordU2002 slides: http://www.openwall.com/presentations/core02-owl-html+images/ The FTP server is Chris Evans' vsftpd. The POP3 is popa3d. And the Telnet is a port from OpenBSD with privilege separation introduced in a way similar to what Chris Evans did in his patches to NetKit's (but the code is different). In all cases, the processes which talk to the remote client are running as a dedicated pseudo-user (different for each service) and chroot'ed to an empty directory (/var/empty). For the privilege-separated OpenSSH sshd, please refer to Niels Provos' web page on the topic: http://www.citi.umich.edu/u/provos/ssh/privsep.html The SMTP server is Postfix, with many of its components running in a chroot jail: http://www.postfix.org/security.html http://www.postfix.org/big-picture.html In fact, the checking of file accesses performed by Postfix that we did as a part of maintenance of the package on Owl has contributed to making Postfix's privilege separation more solid (starting with the 20011217 snapshot). -- /sd
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.