SSH being linked to XZ doesn’t.

So aim your ire at the distributions who (I agree) cocked this one up. "Take a library dependency to implement basic functionality" is not a systemd mentality, it's pernicious throughout software development - see leftPad as another example.

"Put everything in one big ball" is systemd mentality AND something that enabled the xz exploit to work.

Lots of things enabled the xz exploit to work.

If the lesson you take from xz is "systemd bad" then you've really missed the wood for the trees.

It's one of many things to consider. Think of it as sandboxing, or attack surface reduction. Should we expose everything to everything else, or should it be on a need-to-know basis?

My Ubuntu /usr/sbin/sshd already links to libz, liblzma, liblz4 and libzstd. I don't see why linking to libxz would be so outrageous. All-in-all, ldd reports 26 libraries.

They attacked the weakest link, and systemd was just a small pawn in that game. Sure, a smaller attack surface is better, but it's not like OpenSSHd has a small attack surface even without libsystemd. Not even in projects with a similar possibility of obscure "test data."

> My Ubuntu /usr/sbin/sshd already links to libz, liblzma, liblz4 and libzstd.

Except for libz, they are only linked indirectly through libsystemd.

> I don't see why linking to libxz would be so outrageous

The XZ Utils library is called liblzma, not libxz.

> Except for libz, they are only linked indirectly though libsystemd.

Ah, that invalidates my point re. obscure test data. Sloppy use of ldd. (I'm guessing it would be much harder making such an attack on a crypto library.)

Thanks.

In void it links 11 and includes only libz of the items you listed.

On OpenBSD it links 4 libraries. On my crux linux installation, 7.

Why wouldn't SSH be linked to XZ? Isn't it supported as a compression method for connections?

IIRC, xz was used by a systemd library, and that systemd library got added to sshd so it could tell systemd when it had started or something like that. SSH itself doesn't use xz.

ssh out of the box also does not use libsystemd, except on systems which were patched to do so.

I'm aware? It's a compression library that is used by systemd, including in a systemd library that got added to sshd in some distros.

SSH does not support/use lzma/xz compression method for the SSH protocol.

The xz linkage was indirect through a systemd library that some systemd systems link into sshd.