Developers issue OpenSSH alert

Open source developers yesterday warned of a significant vulnerability in OpenSSH, a tool that ships with many Linux and Unix flavours.

The details of the hole have not been made public because a patch is not yet available, but the secrecy of the developers has caused a schism in the open source community.

Yesterday, Theo de Raadt, lead developer for OpenSSH, a free tool that many administrators use as a secure alternative to Telnet and FTP, announced a significant remotely exploitable vulnerability.

Even version 3.3 of OpenSSH, released only days ago, is vulnerable.

But de Raadt has not announced the finer points of the vulnerability because a patch has to yet be made available.

He insisted that details would be released on Thursday to give distributors time to get updated versions of the tool together before hackers get their hands on exploit code.

In the meantime, de Raadt has detailed a workaround that will secure a system running OpenSSH, although it may break some functionality in the tool.

He recommends enabling privilege separation on the server, which essentially splits OpenSSH into two processes. One process talks to the network, without privilege; the other controls the decision making and hands out privileges as necessary.

The end result is that a hacker gains nothing by compromising the 'front line' process.

De Raadt has been pushing to make privilege separation a de facto standard in distributions which include OpenSSH, but said in his announcement yesterday that he had met with consternation in the open source community.

"We've been trying to warn vendors about the need for privilege separation, but they really have not heeded our call for assistance. They have basically ignored us," he said in an email to the community.

"Some, like Alan Cox, even went further stating that privsep was not being worked on because 'nobody provided any info which proves the problem, and many people don't trust you Theo'."

Apparently, Cox, who is Linus Torvalds's right hand man, even suggested that de Raadt "might be feeding everyone a Trojan".

De Raadt added: "Hewlett Packard's representative was downright rude, but that is OK because Compaq is retiring him. None of them has helped the OpenSSH portable developers make privsep work better on their systems."

The OpenSSH developers hope to have a patch available by Friday, if the vendors co-operate. "Then on Tuesday or Wednesday the complete bug report with patches, and exploits soon after I am sure, will hit Bugtraq," said de Raadt.