But this IS an over-blown non-issue. Yes: root can read your password if you type your password to a machine. There is absolutely nothing that OpenSSH can do about that. Don't like it? Use public keys and don't type your password to machines you don't trust. Don't believe me? Imagine Theo magically fixes this bug perfectly. Then I get root on your machine, and Trojan your SSH daemon with the old version that has the present functionality. You'll never notice because it works just fine, and I get to collect your passwords. This is a really dumb issue to be making a fuss about. Theo is guilty of a lot of hubris around OpenSSH and OpenBSD, especially the way the *previous* vulnerability was handled. But this time, it is a non-issue. Crispin Michael Smith wrote: >This is good: > >Vendor response: >Theo and Markus told Andrew that this is not an issue. Theo says that >you cannot prevent root from determining a user's password. Andrew does >not disagree but asked why OpenBSD bothers to encrypt user passwords at >all if that is his attitude. > >On Thu, 2002-09-19 at 22:46, Jimmy S. wrote: > > >>Check this out >> >>http://www.securiteam.com/unixfocus/5VP0H2A8AK.html >> >>Jimmy >> >> -- Crispin Cowan, Ph.D. Chief Scientist, WireX http://wirex.com/~crispin/ Security Hardened Linux Distribution: http://immunix.org Available for purchase: http://wirex.com/Products/Immunix/purchase.html
This archive was generated by hypermail 2b30 : Fri Sep 20 2002 - 13:29:26 PDT