this post was submitted on 01 Jul 2024
241 points (98.8% liked)

Linux

4382 readers
92 users here now

A community for everything relating to the linux operating system

Also check out [email protected]

Original icon base courtesy of [email protected] and The GIMP

founded 1 year ago
MODERATORS
[email protected]
[email protected]
[email protected]
241
'Critical' vulnerability in OpenSSH uncovered, affects almost all Linux systems (www.computing.co.uk)
submitted 6 days ago by [email protected] to c/[email protected]
39 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] -1 points 6 days ago* (last edited 6 days ago) (3 children)

Maybe it is time to move to something new

Also why does sshd run as root. I deal like ssh could use some least privilege

[–] [email protected] 10 points 6 days ago* (last edited 6 days ago) (1 children)

When you log in to an ssh terminal for a shell, it has to launch the shell process as the desired user. Needs to be root to do that.

SSH has been around a long time. It's not perfect, but it's mostly validated. Anything new won't have that history.

[–] [email protected] 1 points 6 days ago (1 children)

Can't it use built in OS mechanisms for that? Surely you could figure out a way to only give it permissions it needs. Maybe break it up into two separate processes.

[–] [email protected] 1 points 2 days ago

That just sounds like root with extra steps (trying to implement OS security policies in a remote terminal utility)

[–] [email protected] 9 points 6 days ago* (last edited 6 days ago)

Preliminary note: OpenSSH is one of the most secure software in the world; this vulnerability is one slip-up in an otherwise near-flawless implementation. Its defense-in-depth design and code are a model and an inspiration, and we thank OpenSSH's developers for their exemplary work.

[–] [email protected] 1 points 5 days ago

Root because it use port 22. I think anything lower than port 1024 requires it. But if this is true, then you can try change the port it is listening to something higher than that.