Re: Critical: ssh-nonfree IS exploited
On Sunday, November 11, 2001, at 09:54 AM, Wichert Akkerman wrote:
Previously Bernd Eckenfels wrote:
just a small information, I have at least 2 confirmed reports about
Hacked
Debian Boxes. All of them are hacked by exploiting the old nonfree-ssh
and
installing a rootkit. Fortunatelly the rootkit is easy to detect,
since it
is linked against libc5.
Non-free, not part of Debian, etc. etc.
That's very nice, but it avoids the issue. If there is something in
non-free that can compromise the entire Debian distribution that someone
installs due to a bug or exploit, then the Debian organization needs to
deal with this.
You don't have to _fix_ the problem, but there needs to be some warning
of the problem. Saying, "It's not our problem" since it's in non-free is
irresponsible.
Non-free is held at arm's length from Debian, but there is still a
relationship. Anything in non-free that can be shown to be unsafe like
this needs to be removed from non-free and thrown into the pool of
software that can be installed on Debian, but isn't available from a
Debian site or mirror.
I can see that this will lead to the discontinuation of non-free
completely. That's been gone over again and again. I didn't agree with
the viewpoint that Debian is just about "free" software. To me, Debian
is simply the linux distro that's put together the best. I don't want
the ideology behind it thrust in my face.
But, it's been pretty obvious that non-free is provided for the user's
convenience or to provide stepping stones to a completely free system
over time. That leaves it up to the maintainer of an individual non-free
package to make sure that the package won't allow the entire distro to
be compromised. If the maintainer can't or won't fix it or provide bold
warnings upon installation, then the package needs to be cut loose.
If the Debian organization can't handle this for whatever reason then it
is time to cut non-free loose and make it in no way, shape, or form part
of Debian. If a user wants something that was in what was formerly
non-free, then they will need to arrange to get it themselves and it
will be on their own head if they get into trouble.
non-free is not technically part of Debian potato.
It's "somebody else's problem." The SEP principle. Maybe if you ignore
it, it will go away.
Note: the reason why those production servers are still using non-free
ssh
is, because a) OpenSSH isnt more secure (had a remote exploit before)
and b)
upgrade is harder than expected. So we need to make nonfree more
recent.
Anyone who thinks openssh is not more secure needs to compare
codebases :)
I am completely at a loss to understand why anyone would use this
version of ssh over openssh. I could understand choosing to purchase the
current ssh over using the free openssh. Well, maybe if someone just
hates Theo and won't touch openssh for that reason. :-) (I'm ok with
openssh and with Theo. hehe)
Reply to: