Re: [tlug] Confessions of a closet OpenBSD user

[Matt Doughty <mdoughty@example.com>]

On Thu, Jun 27, 2002 at 01:10:15PM -0400, Josh Glover wrote:
> OK, I have been called on a couple of things that have been going on 
> recently, so I must come clean.
> 
> I use OpenBSD. Even worse (and more shocking), I like it and agree with 
> its design philosophy. The same goes for OpenSSH.

*shrug* I used it at one point. There is redemption. ;) I have to
question your sanity on agreeing with OpenSSH design philosophy
though. I think we have massacred that horse though so I'm not going
to discuss again here.

> 
> In the past week, a new OpenSSH vulnerability hit Bugtraq, raising the 
> old "OpenBSD and Theo DeRaadt suck" debate on (U|L)[U]UG mailing lists 
> the world over. I have been involved in the debate here, and it has been 
> brought to my attention in private email that I have sinned.
> 
> I agree, and here is my repentence and clarification. Please feel free 
> to assign penance as you see fit.

penance:
10 weeks working the help desk at AOL. You are required to be nice. ;)

> 
> 1) I use OpenBSD. It is not my primary OS, but I do usually have it 
> installed on a box (or virtual machine) or two at any given time.
> 2) I like OpenBSD. It is small, tight, and fast, in my experience.
> 3) I agree wholeheartedly with the design philosophy behind OpenBSD, 
> especially how default installs work.

Yeah there default everything off approach is the right one, but they
aren't the only ones who do that.

> 4) I would like to see OpenBSD get better and better, and am interested 
> in getting personally involved in the project, as time and my limited 
> knowledge allow.

Hmm. more penance may be in order. ;)

> 5) I do not dislike Theo DeRaadt or any of the other OpenBSD developers 
> personally. I feel that Theo has been a bit abusive to the world at 
> large from time to time, but I derive no special pleasure from seeing 
> people last out at him. I find that correspondence between him and other 
> well-known developers can high entertainment value at times, especially 
> the back-and-forth that arises time and again between Theo and Alan Cox.
> 6) I am very guilty of getting a bit caught up in the mass hysteria 
> surrounding the most recent OpenSSH vulnerability. I do run OpenSSH on 
> many boxen, and when a vuln is found that effects me that much, I can 
> overreact. That is what I did in this case. I can only plead for 
> forgiveness on the basis that the OpenSSH vuln followed so closely on 
> the heels of the biggest Apache vuln in about five years that I was 
> quite stressed out in my professional capacity as a sysadmin.
> 7) My reaction to the vuln was to upgrade to OpenSSH 3.3 and make the 
> config file changes suggested in the OpenBSD security advisory, the ones 
> that Stoyan (sp? sorry) posted to this very list:
> 
>   (in sshd_config (usually found in /etc/ssh or in /usr/local/etc)):
> 
>   ChallengeResponseAuthentication no
>   PAMAuthenticationViaKbdInt no
>   UsePrivilegeSeparation yes
> 
> 8) When OpenSSH 3.4 was released, I upgraded again and turned 
> ChallengeResponseAuthentication and PAMAuthenticationViaKbdInt back on, 
> as they are Good Things(tm) when no vulns exist.
> 9) After the dust settled a bit, and cooler heads prevailed, I realised 
> that moving away from OpenSSH was not a good decision to make on the 
> spur of the moment. I will need to look at some other options and compare.
> 10) It was not fair of me to simply make an anti-OpenSSH statement and 
> not clarify my position at all.

Fair? Life ain't fair.  I certainly make complete unfair comments all the
time, and I expect you to continue to do the same.  Someone will invariably
set you down if you act up to much. :)

> 
> I think that about covers my sins. ;)
> 
> Now, to continue to be fair, I must state that my confidence in OpenSSH 
> is a bit shaken. However, this is really a blessing in disguise. Blind 
> trust in programs tends to lead to a "magic bullet" mindset, which is 
> extremely dangerous for a security-mindful admin, which I ostensibly am, 
> and certainly try my damndest to be. This week has shown me that daemons 
> which are big players in *my* networks, to say nothing of the Internet, 
> are just as susceptible to vulns as smaller things that are less mindful 
> of good security design and coding principles (I claim this about 
> Apache, as OpenSSH is not as carefully designed).
> 
> I have been remiss in not reading source and looking more carefully at 
> the security history and design history of daemons on which I rely 
> heavily for maintaining a network with an acceptible level of security.
> 
> In conclusion, I apologise for my remarks about OpenSSH, which were 
> off-the-cuff and not very fair.

Man someone laid into you good didn't they. Lets be honest most of us
have not dug through all the source code for these things. 

> 
> Also, I hope that no-one on this list takes comments made by anyone else 
> without at least a grain of salt. That can be dangerous.

Especially ones make by me. ;)

--Matt