l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
November 4: Social gathering
Next Installfest:
TBD
Latest News:
Oct. 24: LUGOD election season has begun!
Page last updated:
2001 Dec 30 17:01

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] ssh requires setuid?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] ssh requires setuid?


  • Subject: Re: [vox-tech] ssh requires setuid?
  • From: "Mark K. Kim" <MAPSmkkim@ucdavis.edu>
  • Date: Wed, 21 Feb 2001 13:10:38 -0800
  • References: 20010221115006.A3814@dirac.org

On Wed, 21 Feb 2001, Peter Jay Salzman wrote:

> they removed ssh1 because of security reasons but left telnet on?

Yeah.  One of the greatest threats to security is "false sense of
security".  Ssh1 gives this false sense of security while telnet doesn't
pretend to give any security at all.  There are people that argue
for/against either side ("it's better to have little security even if it
gives false sense of security" vs. "it's better to have no security at all
so you can take appropriate precautions"), but in either case I think it's
okay to use ssh1 as long as you know the risks.

Also, ssh1 has buffer oveflow bug on both client and server ends.  This
makes these *suid* programs susceptable to attacks.

> if you have any influence over the administrators, twist their arm to use
> openssh instead of ssh.    openssh supports both ssh1 and ssh2.  it's
> available as an rpm, dpkg and source.  it couldn't be easier to install,
> and would boost the security of their system.  something every admin
> strives for.  :)

I don't have that much influence, I'm afraid.  They have other things to
do.  FYI, OpenSSH (up to version 2.3) is also susceptable to the buffer
overflow bug :)

-Mark

---
Mark K. Kim
http://www.cbreak.org/mark/
PGP key available upon request.


LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
Sunset Systems
Who graciously hosts our website & mailing lists!