Mailing List Archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[tlug] Confessions of a closet OpenBSD user

OK, I have been called on a couple of things that have been going on 
recently, so I must come clean.

I use OpenBSD. Even worse (and more shocking), I like it and agree with 
its design philosophy. The same goes for OpenSSH.

In the past week, a new OpenSSH vulnerability hit Bugtraq, raising the 
old "OpenBSD and Theo DeRaadt suck" debate on (U|L)[U]UG mailing lists 
the world over. I have been involved in the debate here, and it has been 
brought to my attention in private email that I have sinned.

I agree, and here is my repentence and clarification. Please feel free 
to assign penance as you see fit.

1) I use OpenBSD. It is not my primary OS, but I do usually have it 
installed on a box (or virtual machine) or two at any given time.
2) I like OpenBSD. It is small, tight, and fast, in my experience.
3) I agree wholeheartedly with the design philosophy behind OpenBSD, 
especially how default installs work.
4) I would like to see OpenBSD get better and better, and am interested 
in getting personally involved in the project, as time and my limited 
knowledge allow.
5) I do not dislike Theo DeRaadt or any of the other OpenBSD developers 
personally. I feel that Theo has been a bit abusive to the world at 
large from time to time, but I derive no special pleasure from seeing 
people last out at him. I find that correspondence between him and other 
well-known developers can high entertainment value at times, especially 
the back-and-forth that arises time and again between Theo and Alan Cox.
6) I am very guilty of getting a bit caught up in the mass hysteria 
surrounding the most recent OpenSSH vulnerability. I do run OpenSSH on 
many boxen, and when a vuln is found that effects me that much, I can 
overreact. That is what I did in this case. I can only plead for 
forgiveness on the basis that the OpenSSH vuln followed so closely on 
the heels of the biggest Apache vuln in about five years that I was 
quite stressed out in my professional capacity as a sysadmin.
7) My reaction to the vuln was to upgrade to OpenSSH 3.3 and make the 
config file changes suggested in the OpenBSD security advisory, the ones 
that Stoyan (sp? sorry) posted to this very list:

   (in sshd_config (usually found in /etc/ssh or in /usr/local/etc)):

   ChallengeResponseAuthentication no
   PAMAuthenticationViaKbdInt no
   UsePrivilegeSeparation yes

8) When OpenSSH 3.4 was released, I upgraded again and turned 
ChallengeResponseAuthentication and PAMAuthenticationViaKbdInt back on, 
as they are Good Things(tm) when no vulns exist.
9) After the dust settled a bit, and cooler heads prevailed, I realised 
that moving away from OpenSSH was not a good decision to make on the 
spur of the moment. I will need to look at some other options and compare.
10) It was not fair of me to simply make an anti-OpenSSH statement and 
not clarify my position at all.

I think that about covers my sins. ;)

Now, to continue to be fair, I must state that my confidence in OpenSSH 
is a bit shaken. However, this is really a blessing in disguise. Blind 
trust in programs tends to lead to a "magic bullet" mindset, which is 
extremely dangerous for a security-mindful admin, which I ostensibly am, 
and certainly try my damndest to be. This week has shown me that daemons 
which are big players in *my* networks, to say nothing of the Internet, 
are just as susceptible to vulns as smaller things that are less mindful 
of good security design and coding principles (I claim this about 
Apache, as OpenSSH is not as carefully designed).

I have been remiss in not reading source and looking more carefully at 
the security history and design history of daemons on which I rely 
heavily for maintaining a network with an acceptible level of security.

In conclusion, I apologise for my remarks about OpenSSH, which were 
off-the-cuff and not very fair.

Also, I hope that no-one on this list takes comments made by anyone else 
without at least a grain of salt. That can be dangerous.

Advise from knowledgable people is good, but no substitute for thinking 
for yourself. Ask for advise, then ask for explanations. Read source, 
read documentation. This is how one learns Unix.

Finally, and I swear that I am going to end this massive missive (haha 
Josh, you so cleva!) at this:

I am no expert. I hope I do not come off as sounding like I know 
everything about Unix and my way is the One True Way(tm). I will be more 
careful in the future to avoid this kind of behaviour. I may be a 
wannabe BOFH, but at the moment, I am still just a wannabe, a Padwan 
Learner. There are always two, a master, and an apprentice, and I am no 
Qui Gon Jin (or even Palpatine, for that matter ;)!

--A Repentent Josh

PS: Though my tone may have been light at times, this email was not 
meant be be sarcastic. I mean what I say here, that I have been remiss 
and a downright "playa hata" toward OpenSSH.

Josh Glover <>

Associate Systems Administrator

Home | Main Index | Thread Index

Home Page Mailing List Linux and Japan TLUG Members Links