ZDNet UK


Skip to Main Content

ZDNet.co.uk - Winner of Best Business Website 2007
  1. Home
  2. News
  3. Blogs
  4. Reviews
  5. Jobs
  6. Resources
  7. Community
  8. My ZDNet

 

ZDNet UK RSS Feeds


Desktop platforms Toolkit in association with http://ad.doubleclick.net/clk;205413468;14699245;m?http://adfarm.mediaplex.com/ad/ck/2397-58840-22058-14

OpenSSH patches second specialised flaw

Published: 24 Sep 2003 15:25 BST

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

The open-source project for secure communications technology, known as OpenSSH, plugged a second security hole on Tuesday that affects only users who have turned off a critical security feature.

The flaw appears in an open-source implementation of the Pluggable Authentication Modules (PAMs), a technology adopted by Sun Solaris, Linux and BSD systems to let system administrators easily change the way users log into computers. The default login procedure could be changed to a smart-card-based procedure using a PAM, for example.

The project started using open-source versions of the new PAM functions in the latest release of OpenSSH. However, as with a flaw found last week, the current vulnerability affects only versions of OpenSSH that have a security technology known as privilege separation turned off.

"It is unexploitable in the default configuration," said Theo de Raadt, a cofounder of the OpenSSH project. Moreover, he said, the flaw apparently affects only OpenSSH running on Sun Solaris servers.

Privilege separation is a security mechanism that essentially divides programs into two parts: a small component with system privileges that can modify almost any file on the computer, and the rest of the program, which runs with restricted privileges. The mechanism reduces the size of the code that software engineers have to audit carefully, making the program easier to secure.

"It takes a regular bug that could be escalated (by an attack) and protects you from it," de Raadt said.

For that reason, knowledgeable system administrators are not likely to turn off the function. In that case, they wouldn't be affected by the newly discovered flaw.

After the flaw appeared on the popular Slashdot news blog, de Raadt criticised coverage of the issue as much ado about nothing. While acknowledging that the maintainers of OpenSSH had fixed two flaws in two weeks, he stressed that neither flaw affects systems in the default configuration.

"Open-source flaws that affect a handful of systems are getting as much coverage as Microsoft flaws that are affecting millions of systems," he said. It's unknown how many computer systems or network devices that use the OpenSSH code may have turned off privilege separation.

Information on the latest flaw and a link to the latest patch can be found on the OpenSSH Web site.

  • Email
  • Trackback
  • Clip Link
  • Print friendlyPrint with Konica

Did you find this article useful?
30 out of 65 people found this useful


In association with Intel

Talkback

Post a comment


Full Talkback thread

0 comments

Related Links

More In Desktop platforms



Company/Topic Alerts

Create a new alert from the list below:



Related Jobs

Linux System Administrators- London- Linux- Unix-FTSE100 gloal leaders

Linux/ Unix System Administrators for world leaders in technology.-40k

Senior Developer- Investment Bank

Desktop Management Benchmarking

Test Your Desktop Management Systems

How good are your company's desktop management solutions? How do they compare with those of your peers?

Take two minutes to complete our new Desktop Management and Energy Consumption benchmark, and find out what issues your business needs to focus on.