Technology news and Jobs 
Our Blogs Open Sauce Life in the trenches: an OpenSSH developer speaks
Our Blogs Open Sauce Life in the trenches: an OpenSSH developer speaks | Life in the trenches: an OpenSSH developer speaks |
|
| by Sam Varghese | |
| Friday, 24 October 2008 | |
|
Page 4 of 6 By then, the OpenSSH project had a good implementation of the SSH protocol 1. "In the years since there had been an IETF (Internet Engineering Task Force) effort to standardise on a newer version of the protocol which fixed a bunch of cryptographic weaknesses and made it a bit more flexible, which was basically SSH protocol version 2," Miller says. "The commercial versions of ssh.com supported this protocol. Markus Friedl implemented pretty much all of it himself in OpenSSH in an amazingly short period. I think it was in 2001 or 2002 that we released a version of OpenSSH based on Markus's work which supported protocol 2." Featured Whitepaper
5 Best Practices for Smartphone Support
Markus's implementation made OpenSSH compatible with the SSH put out by ssh.com and fixed some cryptographic problems, "not things which could lead to break-ins but things which scared cryptographers and people like me," says Miller. "It was a moving target because protocol version 2 did not get standardised until 2005." In 2003, Niels Provos did some remarkable work on OpenSSH to implement what is known as privilege separation. Says Miller: "The typical style of writing a UNIX login process was to run it as root, the most privileged user on the system. This server would run as root for its whole lifetime. The justification for this was it needed to log people in, it needed to be able to write to logfiles, it needed to be able to set the user ids so that joe can log in as joe rather than as some other account. The problem was that that left the server exposed to any bug, it made it a very attractive target and any bugs that could be exploited would give someone highly privileged access to the system. There had been a few bugs in OpenSSH, a couple of which had resulted in break-ins." Niels introduced some architectural changes. "He split it into a couple of processes, one handles interaction with the network, the cryptography and the passing of data from the network to the computer. All of the complicated and hairy stuff gets done there. And that's the part that is most likely to have the security bugs in it. There's a whole lot of complicated stuff there, you're dealing with binary data which has come from somebody who may or may not be hostile and it's the path that an attacker gets to interact with basically. Niels took this part out, separated it out from the server and made it run without any particular privilege so that if an attacker broke into that they would not get superuser privileges. They would find themselves jailed in a part of the system which really would not give them access to anything." However, OpenSSH still needs root access to do a lot of things. "So he separated the parts which require this kind of access into a smaller sub-program which hangs on to these privileges and acts as a server to that part of OpenSSH that deals with the network. When this unprivileged network-facing part of OpenSSH wants to log a user in, it goes and asks the privileged part to do what it needs to. And the privileged part performs checks - like has this user authenticated themselves properly? Because it's got a very narrow and tight interface with the unprivileged part, it's a lot more difficult to attack." Other circumstances led to privilege separation being introduced fairly quickly. "We got notification that a security research company had found a nasty bug in OpenSSH and were going to release the details in a couple of weeks. So Theo and Niels had a choice. One was to wait a couple of weeks and do a coordinated release with these security researchers. They were going to release their findings as soon as we made our release. And if that had been done then it would have been easy to find, by examining the difference between the old release and the new one, what the bug was. "Or we could release a version with privilege separation turned on by default which would reduce the severity of this security problem from a root compromise of a system running OpenSSH to a compromise of an unprivileged part of OpenSSH. Theo decided to release a version with privilege separation turned on by default. Quite a few people yelled at us for releasing a fairly major bit of functionality at short notice. Two weeks later the security researchers released their bug details and we had saved quite a few people from getting broken into." |
| < Next story in category | Previous story in the category > |
|---|
