Mailing List Archive
tlug.jp
Mailing List
tlug archive
tlug Mailing List Archive
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[tlug] Confessions of a closet OpenBSD user
- Date: Thu, 27 Jun 2002 13:10:15 -0400
- From: Josh Glover <jmglov@example.com>
- Subject: [tlug] Confessions of a closet OpenBSD user
- Organization: INCOGEN, Inc.
- User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.0) Gecko/20020606
OK, I have been called on a couple of things that have been going on recently, so I must come clean. I use OpenBSD. Even worse (and more shocking), I like it and agree with its design philosophy. The same goes for OpenSSH. In the past week, a new OpenSSH vulnerability hit Bugtraq, raising the old "OpenBSD and Theo DeRaadt suck" debate on (U|L)[U]UG mailing lists the world over. I have been involved in the debate here, and it has been brought to my attention in private email that I have sinned. I agree, and here is my repentence and clarification. Please feel free to assign penance as you see fit. 1) I use OpenBSD. It is not my primary OS, but I do usually have it installed on a box (or virtual machine) or two at any given time. 2) I like OpenBSD. It is small, tight, and fast, in my experience. 3) I agree wholeheartedly with the design philosophy behind OpenBSD, especially how default installs work. 4) I would like to see OpenBSD get better and better, and am interested in getting personally involved in the project, as time and my limited knowledge allow. 5) I do not dislike Theo DeRaadt or any of the other OpenBSD developers personally. I feel that Theo has been a bit abusive to the world at large from time to time, but I derive no special pleasure from seeing people last out at him. I find that correspondence between him and other well-known developers can high entertainment value at times, especially the back-and-forth that arises time and again between Theo and Alan Cox. 6) I am very guilty of getting a bit caught up in the mass hysteria surrounding the most recent OpenSSH vulnerability. I do run OpenSSH on many boxen, and when a vuln is found that effects me that much, I can overreact. That is what I did in this case. I can only plead for forgiveness on the basis that the OpenSSH vuln followed so closely on the heels of the biggest Apache vuln in about five years that I was quite stressed out in my professional capacity as a sysadmin. 7) My reaction to the vuln was to upgrade to OpenSSH 3.3 and make the config file changes suggested in the OpenBSD security advisory, the ones that Stoyan (sp? sorry) posted to this very list: (in sshd_config (usually found in /etc/ssh or in /usr/local/etc)): ChallengeResponseAuthentication no PAMAuthenticationViaKbdInt no UsePrivilegeSeparation yes 8) When OpenSSH 3.4 was released, I upgraded again and turned ChallengeResponseAuthentication and PAMAuthenticationViaKbdInt back on, as they are Good Things(tm) when no vulns exist. 9) After the dust settled a bit, and cooler heads prevailed, I realised that moving away from OpenSSH was not a good decision to make on the spur of the moment. I will need to look at some other options and compare. 10) It was not fair of me to simply make an anti-OpenSSH statement and not clarify my position at all. I think that about covers my sins. ;) Now, to continue to be fair, I must state that my confidence in OpenSSH is a bit shaken. However, this is really a blessing in disguise. Blind trust in programs tends to lead to a "magic bullet" mindset, which is extremely dangerous for a security-mindful admin, which I ostensibly am, and certainly try my damndest to be. This week has shown me that daemons which are big players in *my* networks, to say nothing of the Internet, are just as susceptible to vulns as smaller things that are less mindful of good security design and coding principles (I claim this about Apache, as OpenSSH is not as carefully designed). I have been remiss in not reading source and looking more carefully at the security history and design history of daemons on which I rely heavily for maintaining a network with an acceptible level of security. In conclusion, I apologise for my remarks about OpenSSH, which were off-the-cuff and not very fair. Also, I hope that no-one on this list takes comments made by anyone else without at least a grain of salt. That can be dangerous. Advise from knowledgable people is good, but no substitute for thinking for yourself. Ask for advise, then ask for explanations. Read source, read documentation. This is how one learns Unix. Finally, and I swear that I am going to end this massive missive (haha Josh, you so cleva!) at this: I am no expert. I hope I do not come off as sounding like I know everything about Unix and my way is the One True Way(tm). I will be more careful in the future to avoid this kind of behaviour. I may be a wannabe BOFH, but at the moment, I am still just a wannabe, a Padwan Learner. There are always two, a master, and an apprentice, and I am no Qui Gon Jin (or even Palpatine, for that matter ;)! --A Repentent Josh PS: Though my tone may have been light at times, this email was not meant be be sarcastic. I mean what I say here, that I have been remiss and a downright "playa hata" toward OpenSSH. -- Josh Glover <jmglov@example.com> Associate Systems Administrator INCOGEN, Inc.
- Follow-Ups:
- Re: [tlug] Confessions of a closet OpenBSD user
- From: Matt Doughty
- Re: [tlug] Confessions of a closet OpenBSD user
- Prev by Date: Re: [tlug] Re: new computer configuration
- Next by Date: Re: [tlug] Re: new computer configuration
- Previous by thread: [tlug] tokyu cable and servers
- Next by thread: Re: [tlug] Confessions of a closet OpenBSD user
- Index(es):
| Home Page | Mailing List | Linux and Japan | TLUG Members | Links |