What a mess…

Today was a lost cause. I spent way too much time dealing with upgrading OpenSSH on boxes with 5 different Vendor/OS combos. It didn’t help that there were construction workers taking hammers to the stucco on the outside wall of the office.

For those of you not playing along at home, this looks bad. There’s a vunerability that’s been around for a while, that is apparently so exploitable that when a patch is produced, it’s going to be a major horse race between the sysadmins and the blackhats. And the blackhats are going to win a lot of those races.

But there’s this new feature that got released a week ago that in Theo’s words: “will one day save our asses”. Unfortunately, that feature doesn’t completely work on at least a few common platforms, one of which is Linux with a 2.2 kernel. If you don’t disable compression with the “Compression no” option, you can’t login.

At least the sysadmins have a few days head start.

So: Easiest platform is Debian/woody. “sudo apt-get update” then “sudo apt-get install ssh”. Redhat 6.2 is a manual compile, not bad but noting is in a standard location. And there’s that compression thing. Debian potato has this as a major version upgrade, so there are new keys and config file tweaking to make old RSA authenticated backups work. The Cobalt/Sun RAQ doesn’t ship with ssh, so it’s the friendly admins on the security list to the rescue.

Finally, there’s Apple and OsX. If I don’t hear from them in the next day or two, I’ll be compiling my own. But I really hope that there’s an os package for this before monday.

Because Monday is when OpenSSH 3.2 turns into a pumpkin with the release of the patch that tells every black hat where to look. At least there’s a mostly working version availiable before the meltdown. In the meantime, this could be an excellent time to do a little firewalling of ssh to just those locations that need access.

No comments

No comments yet. Be the first.

Leave a reply

You must be logged in to post a comment.