Minimal Install Option

[Chris Ricker]

On Thu, 21 Aug 2003, Pekka Savola wrote:

> > and then join the OpenSSL / OpenSSH exploit train.... No, thanks!
> 
> I'm puzzled by this point.  These would be local vulnerabilities.  There 
> will always be those, and it can be mitigated by keeping the system 
> up-to-date.

Not so. They're remote exploits from anywhere which can connect to OpenSSH.

> If you haven't heard, hosts.allow activates the access controls very, very 
> early in the process.  You really can't exploit OpenSSH using that: 1) no 
> SSH protocol processing happens before that, and 2) no input is received 
> or processed before that.

a) tcp wrappers is circumventable. How easily depends on how it's 
configured....
b) you're still attackable from any place you list in hosts.allow, even if 
tcp wrappers isn't being bypassed. firewalls can be attacked from inside as 
well as from out....

*shrug* IMHO, it's worth the trouble to manage some firewalls out-of-band. 
In yours, it's not. 

later,
chris