LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

January 2023

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS January 2023

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: SL6 ssh fail
From:	Yasha Karant <[log in to unmask]>
Reply To:	Yasha Karant <[log in to unmask]>
Date:	Mon, 9 Jan 2023 15:26:33 -0800
Content-Type:	text/plain
Parts/Attachments:	text/plain (47 lines)

The hardware issue with VME not connected to any external (Internet 
accessible) network is a fact of life.

The SL6 issue is a different matter.  Not only are various applications 
vulnerable to compromises from the Internet, but so is the kernel as 
well as kernel systems support software.  As vulnerabilities are 
"discovered", patches/re-writes also should be made available to lessen 
the risk of a compromise.  The mechanical bicycle analogy is not truly 
applicable.  A macroscopic mechanical device can be kept in service 
provided spares are available, can be substituted (different 
derailleur), or fabricated (appropriate materials, machine tools, 
castings, forgings, etc).  Software (or hardware/firmware that can be 
compromised through hard "backdoors") repair is not trivial and 
typically not worth the effort if updates are available that maintain 
backward compatibility.  If backward compatibility is needed but not 
available, and there are vulnerabilities, then a risk analysis must be 
evaluated.

On 1/9/23 13:15, Konstantin Olchanski wrote:
> On Sun, Jan 08, 2023 at 08:48:33AM -0500, Nico Kadel-Garcia wrote:
>>
>> There is a third party SRPM at:
>>             https://urldefense.proofpoint.com/v2/url?u=http-3A__rnd.rajven.net_centos_6_os_SRPMS_openssh-2D6.4p1-2D1cnt6.1.src.rpm&d=DwIBaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=gd8BzeSQcySVxr0gDWSEbN-P-pgDXkdyCtaMqdCgPPdW1cyL5RIpaIYrCn8C5x2A&m=APF_X_sbP87-U3byu32i-cPT0N0xHPBEhLmLSTRjCbrt6c02NpZBAfu3Z0LoBDLm&s=RoFP8HoZRy6liEx_Q1o6LAJzDhmsdUjdbqtBPSwXUrI&e=
>>
> 
> For the record, urldefence successfully obscures the fact that it points
> to rnd.rajven.net which happens to be registered in Moscow, Russia, per
> xttps://www.whois.com/whois/rajven.net
> 
> A year ago, I would have said, yay, thanks!
> 
> But after certain recent events, I say thank you, but no, thanks.
> 
> P.S.
> 
> It looks like my remaining option is to build openssh from OpenBSD "portable" sources.
> 
> P.P.S. to answer some comments:
> 
> - obsolete - only because you say so. like a mechanical bike, it does today what it did yesterday, users are happy.
> - "so old" - like a grand-father's axe, most our SL6 machines hardware was upgraded 2-3 times by now, they run from SSDs on DDR3/DDR4 RAM machines.
> - exception is VME processors - true Pentium-3 and Pentium-4 machines, fit for a museum. purported replacement ("core-2 duo" CPU) was a lemon (high mortality, all dead now). next purported replacement was okey, but went out of production too soon. "just replace it" people, should look at current prices for VME processors and VME hardware, then ask about delivery times, then come back with suggestions (and $$$).
> - insecure - exactly where? ssh insecure? nfs insecure? https insecure (A+ score from SSLlabs)?
> - "hide behind firewall!" - done, 1-2 layers of firewalls. external ssh and https access is required by function.
> - VMs, containers - shuffle chairs in the titanic, does not address any of the issues above.
>

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV