Re: HEAD's UP: possible 0day SSH exploit in the wild

To: debian-security@lists.debian.org
Subject: Re: HEAD's UP: possible 0day SSH exploit in the wild
From: Russ Allbery <rra@debian.org>
Date: Thu, 09 Jul 2009 12:51:50 -0700
Message-id: <[🔎] 87my7dab3d.fsf@windlord.stanford.edu>
In-reply-to: <[🔎] h35heg$8fa$1@ger.gmane.org> (Peter Jordan's message of "Thu\, 09 Jul 2009 21\:46\:23 +0200")
References: <[🔎] 20090708143825.GF2565@gamma.logic.tuwien.ac.at> <[🔎] f9971d420907080811ob5aa5a2i68f611f65aaf8b1f@mail.gmail.com> <[🔎] 5344ee8d0907080814x1a155b54n8298267c13b5b86d@mail.gmail.com> <[🔎] 235a4bf70907080933i33b77b67t4f72e489313e26a1@mail.gmail.com> <[🔎] f971bab40907080937v33884e78nce8291d34140f3de@mail.gmail.com> <[🔎] 235a4bf70907081403s7e2b9aadpa1d21e289d940211@mail.gmail.com> <[🔎] 20090708211330.GR16064@morgul.net> <[🔎] h340h6$aik$1@ger.gmane.org> <[🔎] 87fxd5kie1.fsf@windlord.stanford.edu> <[🔎] h354au$nf9$1@ger.gmane.org> <[🔎] 20090709160454.GS16064@morgul.net> <[🔎] h359vf$g9v$1@ger.gmane.org> <[🔎] 87iqi1bspm.fsf@windlord.stanford.edu> <[🔎] h35evp$voi$1@ger.gmane.org> <[🔎] 9l3a95ve88.fsf@not-invented-here.oucs.ox.ac.uk> <[🔎] h35heg$8fa$1@ger.gmane.org>

Peter Jordan <usernetwork@gmx.info> writes:

> It would be a stand alone MIT KDC (with krb-rsh) on debian lenny.
>
> "safe" in the sense of "you better attack the services which depends on
> kerberos than kerberos itself"

That's what we've done at Stanford for many, many years, and I'm
comfortable doing so.  The Debian MIT Kerberos maintainers (of which I'm
one) receive advance notice of upcoming security vulnerability
announcements and always prepare security updates in advance for any KDC
vulnerabilities.

The one additional vulnerability that you do open is brute-force attacks
on weak keys, which generally means password-based keys since the
randomly-generated service keys are generally too strong to bother with.
Ensuring that you use AES enctypes for all keys (disable DES and ideally
also 3DES) and that your users have to pick strong passwords should
eliminate most of that concern.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

Follow-Ups:
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: Peter Jordan <usernetwork@gmx.info>
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: Peter Jordan <usernetwork@gmx.info>

References:
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: Norbert Preining <preining@logic.at>
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: Leandro Minatel <leandrominatel@gmail.com>
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: Rafael Moraes <rafael@bsd.com.br>
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: Roger Bumgarner <roger.bumgarner@gmail.com>
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: Jim Popovitch <jimpop@gmail.com>
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: Roger Bumgarner <roger.bumgarner@gmail.com>
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: Noah Meyerhans <noahm@debian.org>
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: Peter Jordan <usernetwork@gmx.info>
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: Russ Allbery <rra@debian.org>
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: Peter Jordan <usernetwork@gmx.info>
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: Noah Meyerhans <noahm@debian.org>
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: Peter Jordan <usernetwork@gmx.info>
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: Russ Allbery <rra@debian.org>
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: Peter Jordan <usernetwork@gmx.info>
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: pod <pod@herald.ox.ac.uk>
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: Peter Jordan <usernetwork@gmx.info>

Prev by Date: Re: HEAD's UP: possible 0day SSH exploit in the wild
Next by Date: Re: HEAD's UP: possible 0day SSH exploit in the wild
Previous by thread: Re: HEAD's UP: possible 0day SSH exploit in the wild
Next by thread: Re: HEAD's UP: possible 0day SSH exploit in the wild
Index(es):
- Date
- Thread