According to the change log, OpenSSH 9.0 suffered a “near miss” – a potential vulnerability that was found and fixed before anyone could attempt to exploit it:
“Near miss in sshd(8): fix an integer overflow in the user authentication path that, in conjunction with other logic errors, could have yielded unauthenticated access under difficult to exploit conditions. This situation is not exploitable because of independent checks in the privilege separation monitor. Privilege separation has been enabled by default in since OpenBSD 3.2 (released in 2002) and has been mandatory since OpenBSD 6.1 (released in 2017).”
This is interesting for several reasons:
- While finding and fixing potential vulnerabilities is basic development work (indeed, security holes are always coding errors), what’s interesting here is that it’s one of the most widely-deployed, heavily-attacked piece of software in the world.
- OpenBSD’s process of continual code auditing (like painting the Golden Gate bridge – get to the end and restart) paid off again.
- The project’s philosophy of privilege separation worked exactly as it should. This barrier prevented any exploitation of the bug.
Kudos to OpenBSD for finding and fixing, and always being transparent.
The OpenSSH project has also been looking to protect users against sophisticated snooping.
Starting with 9.0, OpenSSh defaults to the NTRU Prime algorithm, which is considered to be quantum-resistant. According to Wikipedia:
“Unlike RSA and elliptic-curve cryptography, NTRU is not known to be vulnerable to attacks on quantum computers. The National Institute of Standards and Technology wrote in a 2009 survey that “[there] are viable alternatives for both public key encryption and signatures that are not vulnerable to Shor’s Algorithm” and that “[of] the various lattice based cryptographic schemes that have been developed, the NTRU family of cryptographic algorithms appears to be the most practical”. The European Union’s PQCRYPTO project (Horizon 2020 ICT-645622) is evaluating the provably secure Stehle–Steinfeld version of NTRU (not original NTRU algorithm itself) as a potential European standard. However the Stehle–Steinfeld version of NTRU is “significantly less efficient than the original scheme”.”
Older technologies are still available but I suspect will be phased out down the road once OpenSSH 9+ has gained ubiquity.
Related Posts:
- Is Your Soul as Dark as a Christmas Stocking’s Coal?Make Your Online World Match - December 20, 2024
- Hosteroid has a HOT, Limited Stock Offer in Vienna or Amsterdam! - December 19, 2024
- Cheap Dedi Alert! LinkSecured Has an e3-1240 for $18.88/Month in LA, Dallas, or Phoenix! - December 18, 2024
Leave a Reply