All SSH engines on the FutureQuest network have been shut down to facilitate the immediate upgrade of the SSH engines to a just released version for Security purposes.

We will post additional details when the work has been completed.

We appreciate your understanding while we work through this latest unforeseen development,
Bob

Wow - what an adventure!!! Eeessh...

When we saw the announcement made to the security Disclosure lists, we saw this as a clear, immediate, and dangerous risk...

It was severe enough that we decided to pull the plug on all operational SSH daemons and ensure that we had alternative paths into the servers... Something that we would not normally do, since this would inconvenience the site owners, yet in this case the action was warranted...

The frustrating part is that the risk was known, however the solution to the exploit had been trampled on by many throughout the early morning with a lot of speculation... The sources of trusted information were heavily flooded, sort of like 1000 people trying to grab 1 radio to listen to the severe weather reports...

The entire FutureQuest Team pulled out all the stops and banded together to mitigate any potential risks that was carried with this latest OpenSSH exploitable root level hole... Not only were upgrades being cooked up by Bruce (once they were known), Kevin and Arthur were sweeping all the systems to make sure that no glimmer of light was creaping through any SSH crack from the underlying network tweaks that I was putting into place... While Bob and Deb handled the Service Desk complaints of "Hey - why did you kill SSH???"

Overall, our job is now done and in record time...

This was a near miss for one of the most powerful integrated services we provide, and we feel strongly enough about OpenSSH that the next time lightening strikes close - that we will respond with a swiftness and ferocity... :)

--
Terra
--whoa - that daemon had teeth--
FutureQuest

Not that I want my ssh cut off (it is the only way I can send e-mail from work), but I am still able to run ssh on astro, and my existing connection is still alive...

That's cuz they already finished the patches on all the servers and turned it back on. As a buddy of mine would say in a low voice, "DAAaaaaamn!" And as a heavy ssh user, I am very grateful. :)

-- never underestimate the power of a futurequest --

Originally posted by jenili:
That's cuz they already finished the patches on all the servers and turned it back on. As a buddy of mine would say in a low voice, "DAAaaaaamn!" And as a heavy ssh user, I am very grateful. :)

-- never underestimate the power of a futurequest --

Correct. We have already completed the upgrades and we did it without breaking the connections that were already open :)

-Kevin

Not trying to be funny here, just looking to learn new things. What is OpenSSH and what is this about? Thanks.

An SSH session applies cryptographically assured privacy and integrity protection as well as mutual authentication to the data passing through it. SSH can protect otherwise insecure protocols such as POP, IMAP, SMTP, and so on. Accessing an account via standard Telnet, FTP, or web based scripts compared to accessing an account via a SSH connection is like sending a postcard compared to sending a letter wrapped neatly inside an envelope. Anyone near the postcard can read it easily. With the amount of people (young, old, good, and bad) accessing the Internet today many of us prefer our private information be tucked away a little better then that. Used properly, SSH is an extremely valuable tool that helps users move their data around and work with their scripts with more ease and security.

In layman's terms it's much the same as having command line access with Telnet, only with SSH all of the data transferred is encrypted, thus more secure. You may access an SSH login via your CNC if you do not already have an SSH client such as Secure CRT or Putty.


As far as what this is about.... the SSH protocol had a bug that needed to be squished... You can view the slashdot thread at:
http://slashdot.org/article.pl?sid=03/09/16/1327248&mode=thread&tid=126&tid=172


Deb
- The decoder rings don't work here

Originally posted by fhilton:
Not trying to be funny here, just looking to learn new things. What is OpenSSH and what is this about? Thanks.

OpenSSH is a program that provides Secure Shell services to our servers. It is a more secure alternative to telnet, rsh, rlogin, and ftp. OpenSSH uses encryption to protect login sessions from sniffing programs and it can be configured to use key pair based authentication which is stronger than simple passwords. More information can be found here: http://www.openssh.org/ and http://www.aota.net/Telnet/index.php4 (ssh is used the same way as telnet so the same tutorial applies to both)

The security problem which was announced this morning had the potential to allow an attacker into our servers therefore we took immediate action even though there were no confirmed reports that the bugs in the OpenSSH code were actually exploitable.

-Kevin

Aaaaaand... to continue Deb's analogy, you can use ssh to put a wrapper around those postcards, when you have to send postcards. F'rinstance, you probably pop your mail down from your FQ-hosted site. That's done in plain text. ssh will allow you to "tunnel" the pop communication through an encrypted connection so that it doesn't make sense to anybody who may be trying to eavesdrop on your mail. My mail isn't that exciting, but ya never know. ;)

The natural next question is, how do you do that... and the answer depends on your ssh client. Look in its help or manpage for instructions on tunnelling. The basic idea is, you start an ssh connection between your system and the server. You tell your ssh client that whenever you send data to a given port on YOUR system, it should tunnel that connection to a given port on the server. Then you set up your client software to connect to the local port on your system. By jumping through a few extra hoops on my end (setting up an entry in /etc/hosts or lmhosts pointing www.mydomain.tld to 127.0.0.1 and tunnelling the connection from port 80 on localhost to port 80 on the real mydomain.tld), I was able to use this to secure my connections to the CNC as well.

ssh... it's a beautiful thing. :D

Would this be a good time to also mention that FutureQuest provides Secure_FTP (SFTP) as well? ;) By using an FTP client that supports SFTP you also begin to encrypt the data you are uploading and downloading with FTP rather than sending it through "regular FTP" like a ummmm oh what should we call it...hmmm..I guess like an open postcard too ;) Some of the SFTP options are mentioned in this thread: http://aota.net/forums/showthread.php?s=&threadid=15062

Deb
- qANQR1DBwU4DsmPgTbGslW0QB/9eprQhZrBZRiGli8FTwIRR6RSwPuU707RsooCh

Originally posted by Deb:
Would this be a good time to also mention that FutureQuest provides Secure_FTP (SFTP) as well?
Oooooh yeah... and scp for the *nix crowd, or the *nix-tools-ported-to-Windows crowd. Gotta love that!
scp myfiles mydomain.tld:~/../www/mywebdirectory

Being able to work with my site like I work with my own systems was one of the main reasons I chose FQ. That and the proprietors' competence, integrity, service ethic, and propensity to blush at gushing customer comments. ;)

Originally posted by jenili:
Oooooh yeah... and scp for the *nix crowd, or the *nix-tools-ported-to-Windows crowd. Gotta love that!
scp myfiles mydomain.tld:~/../www/mywebdirectory

Being able to work with my site like I work with my own systems was one of the main reasons I chose FQ. That and the proprietors' competence, integrity, service ethic, and propensity to blush at gushing customer comments. ;)

Don't forget rsync over ssh. It makes working on your web site on your own system even easier than scp does. http://rsync.samba.org/

-Kevin

Thanks for everyone's response to my question about SSH Security. I think I need a little more experience before I dive into this!

The saga continues... :rolleyes:

We have just finished a silent upgrade of OpenSSH to 3.7.1p1 since this contains further patchsets... The entire OpenSSH team is going through the code with a fine tooth comb in the sake of completeness... Most of what is being patched now is peripheral, but still has substance...

--
Terra
--better to be swift than sorry--
FutureQuest

Originally posted by Terra:
The saga continues... :rolleyes:

We have just finished a silent upgrade of OpenSSH to 3.7.1p1 since this contains further patchsets... The entire OpenSSH team is going through the code with a fine tooth comb in the sake of completeness... Most of what is being patched now is peripheral, but still has substance...

--
Terra
--better to be swift than sorry--
FutureQuest

Gee tell me about it Terra :P I *believe* RedHat nailed it with the patch I got installed on covetous, if not guess I'll find out later..
I did notice on Nagios it is showing SSH OK - OpenSSH_3.1p1 (protocol 2.0) but it apparently did download and update openSSH.. I could just be going crazy %)

*Time to find me a matrox card for gentoo* ;)

Originally posted by brnoe:
*Time to find me a matrox card for gentoo* ;)

I got both of mine on Ebay for less than $50. Both are G450 cards with 32MB on board. The G450 is great for Linux as long as you aren't looking to play 3D games.

-Kevin

Hmm didn't know if ~50 was a good price for a 32mb one or not, what would you suggest as for decent 3d play? I have this radeon 8500 or whatever but I am selling it.. compatible is my keyword, looking on google right now too

ERP! edit.. not like the BEST 3d card, I think the most 3d anything I'll be playing on here is quake 3 (if I can get it to work that is..)

Originally posted by brnoe:
Hmm didn't know if ~50 was a good price for a 32mb one or not, what would you suggest as for decent 3d play? I have this radeon 8500 or whatever but I am selling it.. compatible is my keyword, looking on google right now too

I have always used nVidia cards for games and Matrox cards for everything else. However, I usually do games in Windows on one box and everything else in Linux on another box so I have never really tried to setup one of my super fast gaming nVidia cards in Linux but I know it is possible (I see people asking questions about them all the time).

I pick the Matrox cards for my Linux boxes because they have a very good picture and they are the only cards I tried that worked perfectly in both fbdev and XFree86. I also like the mga_vid kernel module that mplayer can use to play video using the processor on the G450.

Note that the most recent ATI card I have played with was an old ATI Rage 128 so I have no idea how good the Radeon series is.

-Kevin

I reckon I'll be investing into the G450 for now (can always sell it later) I actually was working on setting windows up on my other drive so I could dual boot, but xp didn't want to install for me (3 different times already) so I may just end up using 98, I figured the easiest way for me to do this is to use a swappable hd tray which should be here this week so that I can switch between gentoo and 98. I have a pny gforce 4 mx420 I was using in my other machine which seems a bit tempting. Since I am not into gaming and such I'm not to big on understanding all the differences in these new cards execpt those that I see are reccomended. I know nVidia has some great support for linux it seems (http://www.nvidia.com/object/products_supported.html) so maybe that would be the way to go as ebay has some nice ones out there, I was looking at the Ti4400 or 4600 (seems pny makes those too). Just dont want to get stuck with the crap brand ;)
Guess I'll have to figure out what nVidia card I like now since my mind has changed several times in typing this huge run on sentence.
Any suggestions on a certain brand/model?

*I can take a topic from ssh to video cards in 2 posts!* :P

To keep this thread somewhat on the track it is supposed to be I continued my video card discussion at http://www.aota.net/forums/showthread.php?s=&threadid=15246

pssh whats up with the 60 second post limit ;)

OpenSSH version 3.7p1 and 3.7.1p1 contain multiple vulnerabilities in the new PAM authentication code. At least one of these bugs is remotely exploitable (under a non-standard configuration, with privsep disabled). OpenSSH 3.7.1p2 fixes these bugs. For this reason, we have just finished another silent upgrade of OpenSSH to 3.7.1p2.

Deb
- I guess 3.7.1 was just a rough draft

When you have a couple minutes, can you explain what PAM authentication is? And do any FQ clients use it?

Thanks for sating my curiosity. :noddy:

can you explain what PAM authentication is?
This should help to explain it:
http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam-1.html
and
http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam-3.html

And do any FQ clients use it?
Yes, indirectly, because it is a server level methodology for authenticating and authorizing users to specific levels of access...

--
Terra
--How many different ways do you want a background check done?--
FutureQuest