Re: ISS: OpenSSH Remote Challenge Vulnerability

[Carl Brewer <carl@bl.echidna.id.au>]

Miod Vallat wrote:
>>So one config option seems could have saved the day ..
>>
>>Than why so much fuss, tech-push ?
> 
> 
> Switching to privsep does not alter the functionality of sshd in any way
> (apart from a few known bugs being worked on with Kerberos).
> 
> Disabling ChallengeResponseAuthentication reduces the functionality.
> 
> You don't deal with a security issue by restricting functionality when a
> better workaround is available, until a fix is made available.

On a number of platforms switching to privsep breaks compression.
ie: restricts functionality.  the recommendation, most rigourously
made by all and sundry, was 'upgrade to 3.3 now, use privsep'.
ie: break compression on some platforms, *now*.  For some of
those users, there was a better workaround than the pain of
rebuilding OpenSSH and losing some useful feature.

For some users, compression may be far more valuable (eg slow
modem links) than challengeauth stuff, which they may not
have needed or been using.  We certainly weren't using it
but we use compression, and need it for some slow links
and tunnelled VNC.

What might have been nice(!) would be a 'use privsep, or
disable challengeauth, whichever suits your problem-space
best'.  Privsep didn't even 'fix' the problem, just reduces
its impact.  Turning off the challengeauth merde does (if I
understand the ISS alert anyway).

Cudos to Theo et al for releasing 3.4 so quickly, but a
big rasberry for the unneccessary crying of wolf preceeding
it.

Carl (with 3.4 now up & running on a very hetrogenous network)