Re: On why debugging OpenSSH can be so hard

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Please bear in mind that in the world of cryptography, the difference
between proper error messages and information disclosure
vulnerabilities is narrow, or only a nuance.

IMHO, you have it backwards. It is the improper error messages that can pose a security risk. If my OpenSSH program is either misconfigured or malfunctiong, and it may be exposing my systems to something nefarious, then how am I to efficiently debug it

That's why it fails at that point.

It meaning OpenSSH? So what do you mean by its failing? Because it doesn't let me debug efficiently, it fails to be a "nice" program? But that doesn't make sense given your later argument that suggests it shouldn't be a "nice" program because in this case,"nice" programs expose security risks. Unless, of course, you think the failure is OK, that the failure trumps the security risk you claim. Or you mean something else and I'm not getting it?

(I hope this response adds more to the discussion. :-))
--

Maurice Volaski, mvolaski@xxxxxxxxxxxx
Computing Support, Rose F. Kennedy Center
Albert Einstein College of Medicine of Yeshiva University

[Index of Archives]     [Open SSH Unix Development]     [Fedora Users]     [Fedora Desktop]     [Yosemite Backpacking]     [KDE Users]     [Gnome Users]

  Powered by Linux