current-users: Re: FreSSH

Subject: Re: FreSSH
To: Michael G. Schabert <david@vex.net>
From: John Nemeth <jnemeth@victoria.tc.ca>
List: current-users
Date: 03/07/2002 21:04:38
On Jul 28,  6:24pm, "Michael G. Schabert" wrote:
} At 11:32 PM -0500 3/7/02, David Maxwell wrote:
} 
} >Well, I'd like an sshd that I don't have to be ready to upgrade on every
} >exposed machine on a day's notice.
} >
} >It would be kind of nice to step away from the net for a few days, and
} >not wonder if everything's fallen apart while my back was turned.
} 
} C'mon, David, you know better than that. No program greater than a 
} hundred lines or so can have active development *and* be bug-free 
} every second. Every substantial program on the planet has had bugs 

     Keep in mind the team that is developing OpenSSH.  Their marketing
fodder (which the press eats like candy, along with various
non-discriminating hobbiest that don't know any better) would have you
believe that their released code is bug-free every second.  (Note that
I said released code, not development code, which is very different).
Have you ever looked at the OpenSSH code?  I have, since I needed to
solve portability problems multiple times.  It is extremely grotty.  It
isn't a surprise that it has security holes.  It needs a complete
rewrite.

} during its development. We still ship with sendmail too, and that has 
} had *far* more exploitable bugs than OpenSSH.

    It has been quite sometime since sendmail had a remotely
exploitable hole.  The current version isn't setuid anymore either.
sendmail is also much older code and dates back to before the net was
security conscious and knew about some of the more esoteric problems.
OpenSSH is much more recent and doesn't have the same excuse.

} No, you don't have to be prepared on a day's notice. The same could 
} be said the day after every every security avisory for every utility 
} is released. Heck, according to this advisory it has existed since 

     Most utilities I have only run on a few select machines (i.e. just
the ones that provide the service in question) whereas, I have OpenSSH
running everywhere, including on a bunch of client machine spread all
over the city.  An OpenSSH remote hole is a major deal.

}-- End of excerpt from "Michael G. Schabert"