Professional Web Applications Themes

Sun's SSH a week later still no patches - Sun Solaris

All the FOSS systems have been patched a long time ago and all Sun has to offer is a bug report telling you to turn off sshd completely. http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F56861&zone_32=category%3 Asecurity It's another joke that writes itself....

  1. #1

    Default Sun's SSH a week later still no patches

    All the FOSS systems have been patched a long time ago and all Sun has
    to offer is a bug report telling you to turn off sshd completely.

    http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F56861&zone_32=category%3 Asecurity

    It's another joke that writes itself.
    Baby Guest

  2. #2

    Default Re: Sun's SSH a week later still no patches

    Baby Peanut <com> wrote: 
     

    Solution: stop using Sun's sshd. It's very outdated and has lots of
    known problems and/or missing features compared to the latest versions
    of OpenSSH.

     

    Yes, I like those advisories with work-arounds that basically say
    "stop using LDAP or stop using sendmail" when there is a security
    problem. They might have as well said: "run shutdown -i 5 -g 0 -y, and
    don't turn on the machine until the patch is available"


    -akop
    Akop Guest

  3. #3

    Default Re: Sun's SSH a week later still no patches

    Akop Pogosian <akopps+berkeley.edu> writes:
     


    But it's the only one that does PAM correctly.

    It's interesting to see how a security feature, Privilege Separation,
    is causing all kinds of breakage, including security bugs; IMO, it adds
    to m]uch complexity and should be scrapped and/or redesigned.

    Casper
    --
    Expressed in this posting are my opinions. They are in no way related
    to opinions held by my employer, Sun Microsystems.
    Statements on Sun products included here are not gospel and may
    be fiction rather than truth.
    Casper Guest

  4. #4

    Default Re: Sun's SSH a week later still no patches

    At 26 Sep 2003 07:27:09 GMT, Casper H.S. Dik <COM> writes:
     

    There's a tradeoff here. Privilege separation was introduced to close
    off a class of security holes -- one of which is the only remote hole
    to appear in the default OpenBSD install in the past 7 years (as
    they're so proud to say). On the other hand, as you mention,
    privilege separation is overly complicated, and I wish that there was
    a better way.
     

    The problems in OpenSSH 3.7.1p1 are not only OpenSSH's fault. PAM is
    overly complicated too. I'll bet not one Solaris administrator in
    fifty really understands PAM; the rest just futz with it in a vague
    sort of way.
    Paul Guest

  5. #5

    Default Re: Sun's SSH a week later still no patches

    Casper H.S. Dik <COM> wrote in message news:<3f73ea4d$0$58704$xs4all.nl>... 
    >
    >
    > But it's the only one that does PAM correctly.[/ref]

    Did Sun decide to help the FOSS community by show how they did that?
     
    Baby Guest

  6. #6

    Default Re: Sun's SSH a week later still no patches

    On 26 Sep 2003 07:27:09 GMT, COM wrote: 
    >
    >
    >But it's the only one that does PAM correctly.[/ref]

    there was a section of code in older openssh stuff, that was ifdef'd out.
    uncommenting it, seemed to allow password expiration to work correctly,
    through PAM.

    The code seems to be in the mainline, for openssh 3.7.1p2

    I dont use pam, personally. but perhaps you might try out the binaries from
    blastwave.org, and report back what pam functionality is missing inthe
    latest version?


     

    I agree. The good news is that it is a runtime thing, not a compile time
    though, though.


    Specifically, if you set

    UsePAM yes
    UsePrivilegeSeparation no


    in /opt/csw/etc/sshd_config

    then privilege separation is not used, and PAM works, for password
    expiration.



    (Note: you MUST disable privsep for PAM to work)

    --
    http://www.blastwave.org/ for solaris pre-packaged binaries with pkg-get
    Organized by the author of pkg-get
    [Trim the no-bots from my address to reply to me by email!]
    S.1618 http://thomas.loc.gov/cgi-bin/bdquery/z?d105:SN01618:D
    http://www.spamlaws.com/state/ca1.html
    Philip Guest

  7. #7

    Default Re: Sun's SSH a week later still no patches

    On Fri, 26 Sep 2003 10:26:38 -0700 Paul Eggert <com> wrote: 
    >
    > The problems in OpenSSH 3.7.1p1 are not only OpenSSH's fault. PAM is
    > overly complicated too. I'll bet not one Solaris administrator in
    > fifty really understands PAM; the rest just futz with it in a vague
    > sort of way.[/ref]

    PAM in openssh has been broken long before 3.7.1. 3.7.1 adds
    significant additional brokenness, however.

    So my guess here is that the reason there is no SunSSH is because the
    new PAM is in bad shape, and Sun can't really release another 3.6
    because they'll get poo-poo'd for not going up to 3.7. I hope that's
    it because otherwise, wow, they are dropping the ball -- the fix
    is trivial to backport.

    It is a SIGNIFICANT change to go to 3.7 and Sun should fork at this
    point, or stay back. However they'll get flack for that (no matter
    the justification) and so they probably are doing a lot of work
    right now to fold into 3.7.

    PAM is complicated. I don't think it's overly complicated. It's not
    that hard to get correct -- even my own openssh port does, and I'm
    definitely not in the league of the openssh guys. The reason they
    don't have it correct is openssh is a BSD thing and bsdauth is
    encouraged over pam. (bsdauth is better in some ways, worse in others)a

    /fc
    Frank Guest

  8. #8

    Default Re: Sun's SSH a week later still no patches

    com (Baby Peanut) writes:
     
    >>
    >>
    >> But it's the only one that does PAM correctly.[/ref][/ref]
     

    Yes! We're not stupid; if you want to continue to track a particular
    piece of open source software it is in your best interest to give changes
    to back as it saves you problems later.

    Casper
    --
    Expressed in this posting are my opinions. They are in no way related
    to opinions held by my employer, Sun Microsystems.
    Statements on Sun products included here are not gospel and may
    be fiction rather than truth.
    Casper Guest

  9. #9

    Default Re: Sun's SSH a week later still no patches

    FYI: sunfreeware.com now has OpenSSH 3.7.1p2 packages.

    Casper H.S. Dik <COM> wrote in message news:<3f7578f5$0$58716$xs4all.nl>... [/ref]

    >
    > Yes! We're not stupid; if you want to continue to track a particular
    > piece of open source software it is in your best interest to give changes
    > to back as it saves you problems later.
    >
    > Casper[/ref]

    Cool!
    Baby Guest

  10. #10

    Default Re: Sun's SSH a week later still no patches


    "Baby Peanut" <com> wrote: 

    Back when you wrote the above, a binary fix was
    available for contract customers. Do you want Sun to
    publish patches which have not been tested thoroughly,
    and thus might provide an incomplete fix only,
    or might cause other serious problems?
    No code review either? No checks whether there exist
    variations of the same erroneous code in other
    parts of the same sources?



    Thomas
    Thomas Guest

  11. #11

    Default Re: Sun's SSH a week later still no patches

    The T-patches are there on http://sunsolve.Sun.COM/pub-cgi/tpatch.pl
    now (they appeared within the last 12 hours).

    Chris Thompson
    Email: cet1 [at] cam.ac.uk
    Chris Guest

Similar Threads

  1. Patches for MX 7?
    By jimpurple in forum Macromedia ColdFusion
    Replies: 2
    Last Post: February 24th, 06:42 PM
  2. Replies: 3
    Last Post: December 22nd, 10:42 PM
  3. XP Patches and more...
    By Robert P. in forum Windows XP/2000/ME
    Replies: 4
    Last Post: July 22nd, 11:55 PM
  4. AIX patches
    By Sybrand Bakker in forum Oracle Server
    Replies: 1
    Last Post: December 30th, 08:40 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139