Re: [tlug] remote

[Matt Doughty <mdoughty@example.com>]

On Thu, Jun 27, 2002 at 06:48:14PM +0900, B0Ti wrote:
> Matt Doughty wrote:
> 
> > On Thu, Jun 27, 2002 at 06:16:46PM +0900, B0Ti wrote:
> > > Matt Doughty wrote:
> > >
> > > > For the love of god no!!! Shutdown rlogin,telnet,rsh etc. They are evil!!!
> > > > Install ssh and have atleast some semblance of security.
> > >
> > > According to Theo, it doesn't make much difference now ;)
> > >
> >
> > Notice I didn't say OpenSSH. Install the real thing for God's sake.
> 
> Well, the latest openssh (3.4) is said to be safe, but you never now what's next.
> Yesterday we had a Theo Bug, tomorrow we might have a Tatu Bug. Open had only one
> remote hole in six years, afaik Tatu's had more.

Open what? OpenSSH hasn't been around 6 years more like 2-3. As for that ridiculous
claim about the default install. Dude they basically turn off all services in the
default install and then say "no remote exploit in blablabla".  Their record isn't
any better than just about anybody elses. OpenSSH on the other hand is a hack, and
has had numerous security advisories. In the last three months OpenSSH has had 3
seperate exploitable security issues. SSH last had a problem about a year ago, and
that only involved accounts with passwords 2 chars or less, and it wasn't a elevation
of privs. issue.

> I can apt-get a fixed openssh a few hours after the sechole is announced, but I
> can't do that with "The Real Thing".
> 

No you have to go through the trouble of downloading a tarball, and compiling it.
Life is difficult.  As is I have had to upgrade my boxes once in the last year, and
the bug wasn't even exploitable on my boxen I just did it because it only took 
like 15 minutes.

--Matt