Corrections to "A Rough Year for OpenSSH"
Following the posting of Jose Nazario's article, "A Rough Year for OpenSSH", on the Linux Journal web site on January 2nd, we received an e-mail from Theo de Raadt, the OpenSSH project founder. His purpose in writing was to clarify a couple of errors and misrepresentations in the article.
Regarding the crc32 deattack code, Jose's article states:
Due to the nature of the vulnerability, this issue was addressed immediately by both the SSH developers and the OpenSSH team. Since SSH version 1.2.32 and OpenSSH version 2.3.0, this issue has been fixed. All SSH users should have upgraded as this is being actively exploited.
In actuality, OpenSSH's fix was made available in October 2000, several months before the hole was found. The fix was included in OpenSSH 2.3.0, which shipped right around that time--October 2000, not 2001--and can be seen in the revision information Theo sent:
revision 1.10 date: 2000/10/31 13:18:53; author: markus; state: Exp; lines: +2 -2 branches: 1.10.2; so that large packets do not wrap "n"; from netbsd
Therefore, the article's statement that "this issue was addressed immediately by both the SSH developers and the OpenSSH team" is incorrect--the OpenSSH fix was available months earlier.
Theo also points out another inaccuracy with the above statement; SSH.com took roughly three months to make an official release with the fix.
Heather Mead is Associate Editor of Linux Journal.
Fast/Flexible Linux OS Recovery
On Demand Now
In this live one-hour webinar, learn how to enhance your existing backup strategies for complete disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible full-system recovery solution for UNIX and Linux systems.
Join Linux Journal's Shawn Powers and David Huffman, President/CEO, Storix, Inc.
Free to Linux Journal readers.Register Now!
- Server Hardening
- BitTorrent Inc.'s Sync
- The Death of RoboVM
- EnterpriseDB's EDB Postgres Advanced Server and EDB Postgres Enterprise Manager
- The Humble Hacker?
- The US Government and Open-Source Software
- New Container Image Standard Promises More Portable Apps
- Open-Source Project Secretly Funded by CIA
- ACI Worldwide's UP Retail Payments
- AdaCore's SPARK Pro
In modern computer systems, privacy and security are mandatory. However, connections from the outside over public networks automatically imply risks. One easily available solution to avoid eavesdroppers’ attempts is SSH. But, its wide adoption during the past 21 years has made it a target for attackers, so hardening your system properly is a must.
Additionally, in highly regulated markets, you must comply with specific operational requirements, proving that you conform to standards and even that you have included new mandatory authentication methods, such as two-factor authentication. In this ebook, I discuss SSH and how to configure and manage it to guarantee that your network is safe, your data is secure and that you comply with relevant regulations.Get the Guide