RE: [suse-security] OpenSSH 3.3p1 / SuSE 7.3 / no login possible
I agree about your vision of security problems, first close the gate , second make the gate really secure.
The gate isn't really closed, though, or at least the bolts aren't fastened nor the key turned. The remote compromise of a user account is almost as bad as a remote root exploit, as Steffen already said. However, we're stuck with that being the only way to mitigate the problem currently.. Which is not SuSE's fault at all.
About the MD5 problem, well..none is perfect that's a prob that is giving some prob to the real writters of openSSH code. So? Shall we get upset with SuSE guys for this?
It is true that the 'PAM and OpenSSH' messup is no fault of SuSE. However, it is unfortunate that their testing did not find the problem. I do think that there should be a well-defined test procedure for packages and for OpenSSH that would include at least some PAM tests. Even if not, I believe in this case that it was known for 3.3p1 to exhibit problems with PAM. And that should have been stated in the SuSE advisory, IMHO. People can and must be expected to read advisories before they modify their systems. I can understand Olaf and the rest of the SuSE team for how they acted here and I believe noone who applied the 3.3p1 update is worse off security-wise. The problems that have turned up are nonetheless bothersome. Cheers Tobias (who's been using public key authentication in OpenSSH for quite a while already)
participants (1)
-
Reckhard, Tobias