[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200311160355.hAG3t2La007311@turing-police.cc.vt.edu>
From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@...edu)
Subject: SSH Exploit Request
On Sat, 15 Nov 2003 20:56:51 EST, Vladimir Parkhaev said:
> The fact is, upgrading sshd (not XYZ!) does not require reboot
Normally, yes.
> and does
> not affect any other processes that server runs.
Again, normally yes. But if you believe it's *impossible* for a run-away
process to not affect other processes, I suggest you go read up on fork bombs,
the numerous ways that various OOM-killers in the Linux kernel have proven
deficient, and a lot of other related issues.
> If you don't believe
> me, just... try it :)
I've *been* trying it since it was ssh.com's version 1.2.<verysmallN>
or so. Has worked reasonably every time, except for the one time I built it on
an IRIX 6.5.N and installed it on 6.5.M, where M<N. It promptly ran afoul
of an API change, went runaway, and earned me a trip to the data center to
unsnarl things at the console. (I also hit a similar problem when the
sshd was linked on an AIX system with the 4.3.3.75 version of libc, but
tried to run on a pre-.75 version, but *that* one promptly died a quick
and horrible death without impacting anything else).
<estimates number of SSH versions times number of machines, and gets at
least 4 digits> So we've got some 99.98% reliability in installing sshd
without disruption. But 99.98 isn't 100 unless you work at Intel.
Any my point is that anybody who's running a production system who is
installing *ANYTHING* with the attitude "this can't *possibly* fail" is
looking for a VERY rude awakening when it *does* fail.
So tell me - do you trust the installs enough to just do it and logout
without bothering trying to ssh in to make sure it works first? ;)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20031115/c565925d/attachment.bin
Powered by blists - more mailing lists