Re: Systemd vsock sshd

[Demi Marie Obenour <demiobenour () gmail com>]

On 12/30/25 01:33, Jacob Bachmeyer wrote:
> On 12/29/25 13:53, Greg Dahlman wrote:
> > I did reach out to the systemd team, while I was working with the kernel
> > security team and I encouraged others to do so if they think it will be
> > productive.
> >
> > There are sensitivities and frustrations that span all groups that make
> > that conversation difficult, but I think someone with an established trust
> > with the project could make forward progress.
>
> I certainly agree that the systemd team's apparent "cavalier" attitude 
> towards security (and sound architecture) makes lots of frustrations.  
> (For example, the "katamari" architecture that made the xz-utils sshd 
> backdoor possible is definitely a bad practice, although a distressingly 
> common one not unique to systemd.)
>
> To *really* set things off here, this vsock listener that crosses what 
> is otherwise a security boundary *looks* like an attempt at a backdoor, 
> although I believe it to be ignorance/negligence rather than malice.

If systemd *also* configured OpenSSH to only allow key-based login,
this would be unexploitable unless OpenSSH has a vulnerability.
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)

Attachment: OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature