[plug] OpenSSH and security holes

Christian christian at global.net.au
Sun Dec 12 11:18:35 WST 1999 

Leon Brooks wrote:

> OpenSSH was split from standard SSH at the last free version, then all
> patent-encumbered stuff stripped out. This would naturally include RSA.
> It uses OpenSSL, not the BSD libraries, for SSL.

Unfortunately it doesn't quite work like that.  Prior to 2.6, OpenBSD
didn't ship with SSL libraries containing an RSA implementation (a
patent-encumbered algorithm, for the US, which I think SSH actually
depends on quite a lot!) since this would prevent them from distributing
the system to people in the US.  Instead they provided a simple way for
users to upgrade to fully implemented libraries depending on their
geographical location: independent OpenSSL RSA implementation for those
lucky non-US people and the ugly RSAREF implementation for those
unfortunate souls in America.  I don't know how the Linux OpenSSH team
is managing things but I expect they would have to ship both
implementations, after all, that's what the OpenBSD people are doing. 
As a result, US users of OpenSSH/BSD/SSL have been exposed to the recent
overflow problems with RSAREF -- the SSL-linked software for these
people still must use RSAREF.  My original suggestion of caution was
that I didn't know how the Linux porting team for OpenSSH were managing
RSA implementations; if they were doing a dual tree approach like
OpenBSD then only US users would have a problem (unless non-US people
downloaded the US version... probably not legal under ITAR depending on
where you got it from), however, if they were using RSAREF for
everything (but mirrored on US and non-US sites) then there would be a
problem.  Hope that clears thing up. :-)

> > As for the other bug, I believe that involves connecting to an OpenSSH
> > server with a SecureCRT client and it has been fixed in a recent OpenBSD
> > patch.  I don't know whether this patch has been integrated into Linux
> > OpenSSH yet...
> 
> AFAIK, it happens semi-automagically, as in, the Linux port is kept as a
> set of context diffs.

Then you would just have to make sure you had the most recent version.
:-)

Regards,

Christian.

-- 
For every complex problem, there is an answer that is short,
simple and wrong.
					- H. L. Mencken

More information about the plug mailing list