WORK IN PROGRESS -- WORK IN PROGRESS
SSH - are you nuts!?!
by Jesse Monroy, Jr.,
Does Bruce Schneier lie?
Summary and Review:
Jan. 12, 2001
This talk was given on Jan. 4, 2001. The comments from many was
"You'll be making a fool of yourself". Perhaps I should
have changed the title to read, "Jesse, your nuts for doing
this talk". Certainly it drained me.
While this talk was not what I hoped (it was way too long 2+ hours) I think the
end goal is being accomplished. What enticed me to do this talk
was hearing may people at local computer club meetings say,
"Anyone using telnet any more is nuts!" After the
talk was completed someone told me that Bruce Schneier had
give a talk stating similar words (the origin was revealed.).
As such, I found many problems. The first, and most difficult to
overcome, was my peers stating that, "I was not qualified".
Certainly, I am not a security expert or an encryption expert,
but a I had knowledge of logic, mathematics, computer hardware &
software, security and some common sense.
These things, and my good friends from work and local clubs,
drilled me to find the flaws in ssh. However,
some, without their knowledge, would argue for ssh only to reveal
a classic error in logic.
The Points listed below are points that I made during the talk.
Any person disputing these points is welcome to come to
San Jose and give opposing points of view durning a
regular scheduled meeting of SVBUG
You may schedule your rebuttal by emailing the
Errors in this presentation are mine alone. No error here
should be attributed to the origin, whatsoever. I take full
responsibility for errors, misinformation, mis-attribution or
falsehoods presented here.
Lastly, this is labeled "Work In Progress" for two (2) reason:
- I have a job, that work takes priority.
- More facts are being uncovered everyday, I'll post them when available.
Major Discussion Points
As I am aware that some people wish to dispute my argument
I am making some of the
Raw Data Available.
- What I won't be saying
- My frame of reference
- What I will be saying
- Why I'm doing this
- My Personal Complaints
- What people have to say
- SSHv1 vs. SSHv2
- SSHv2 Features
- The SSH Specs (the problems)
- Authentication/Encryption -Two methods to argue
- SSH(v2) Faults
- Who wants your data
- What is the Man-In-The-Middle
- Your Governments Involvement
- What SSH program there are
- What alternatives you have
- Last words
Updates To Information
Note: Information in this area may be incomplete until I have time
to fill it in. That might be never, given the situation. If you feel
you need more information on any area below, please
- 2000-01-10 During the talk I recommended people move to Bind v9.x, I now recommend against it.
- 2000-01-08 During the talk I underestimated the problems with the r* tools (rsh,rlogin,rcp). The r* tools have major problems, given their nature I don't blame people for trying to fix things by implementing ssh.
- 2000-01-12 A new countermeasure worth considering is a "sacrafical lamb" or "open target" to redirect bot-attacks to.
- 2001-02-09 A new vulnerability in SSH Daemon; DEAD:
See: http://razor.bindview.com/publish/advisories/adv_ssh1crc.html Thanks to James @ OpenCountry.org
OpenSSH PAM challenge/authentication error Announced: 2003-10-05
OpenSSH buffer management error Announced: 2003-09-16
openssh contains remote vulnerability Announced: 2002-07-15
OpenSSH contains exploitable off-by-one bug Announced: 2002-03-07
OpenSSH UseLogin directive permits privilege escalation [REVISED] Announced: 2001-12-02
SSH1 implementations may allow remote system, data compromise Announced: 2001-02-12
Hostile server OpenSSH agent/X11 forwarding Announced: 2001-01-15
Talk given Jan. 4, 2001
OpenSSH UseLogin directive permits remote root access Announced: 2000-07-05
ssh port listens on extra network port [REVISED] Announced: 2000-06-07
telnet client buffer overflows Announced: 2005-03-28
telnetd contains remote buffer overflow Announced: 2001-08-20
telnetd contains remote buffer overflow Announced: 2001-07-23
Talk given Jan. 4, 2001
telnetd allows remote system resource consumption [REVISED] Announced: 2000-11-14
svbug.com © 30-Apr-2006