Bugtraq mailing list archives
Re: severe error in SSH session key recovery patch
From: Tatu Ylonen <ylo () SSH COM>
Date: Tue, 13 Feb 2001 01:24:45 +0200
1) { 2) static time_t last_kill_time = 0; 3) if (time(NULL) - last_kill_time > 60 && getppid() != 1) 4) { 5) last_kill_time = time(NULL); 6) kill(SIGALRM, getppid()); 7) } 8) fatal("Bad result from rsa_private_decrypt"); 9) } actually...if we look at the lines that the patch adds, i think it's pretty clear that the variable last_kill_time, declared at line 2 to be static and initialized to 0, will always be 0 at line 3 (since it can't get set to anything else from other code...it's static), which means that the kill (and setting the actual of last_kill_time to something other than 0) will almost always take place (now - 0 is usually a lot more than 60), and the fact that it finally get set doesn't mean anything to anyone, since the only process that recorded that the signal was sent immediately exits at line 8.
You are right. I apologize for the lousy patch. It was done in five minutes, and I e-mailed it to two people at core-sdi with a note "The patch is untested, other than compiling it. I no longer have SSH1 running on my machines. I really recommend upgrading to SSH2." I never intended it to go out on bugtraq. In any case, please do not use that patch. Upgrade to SSH2 instead; it fixes a lot more security problems, some of them fundamental in the protocol. Using SSH1 under SSH2 in compatibility mode (as described at http://www.ssh.com/products/ssh/ssh2-ssh1-server-howto.html) solves the vulnerability as well for SSH1 compatibility mode. (SSH2 was not vulnerable to the key recovery issue anyway.) Tatu SSH Communications Security http://www.ssh.com/ SSH IPSEC Toolkit http://www.ipsec.com/ SSH(R) Secure Shell(TM) http://www.ssh.com/products/ssh
Current thread:
- severe error in SSH session key recovery patch Matt Power (Feb 10)
- Re: severe error in SSH session key recovery patch Andrew Brown (Feb 12)
- Re: severe error in SSH session key recovery patch Kari Hurtta (Feb 12)
- Re: severe error in SSH session key recovery patch Robert Varga (Feb 12)
- Re: severe error in SSH session key recovery patch Tatu Ylonen (Feb 13)
- Re: severe error in SSH session key recovery patch Andrew Brown (Feb 12)