Hi,
I really have to push back on a couple of points here:
- The idea that all of the dependencies¹ of openssh are audited, let
alone well audited. Unless you know this to be the case, I think
it's very unlikely that anyone has been paying attention, because
having nobody to pay attention is the norm.
Hmm, I could have sworn I saw something about it being audited, but my Googling found nothing. But my memory stretches back to pre-Google. I'll concede the auditing point. :-)
- That this is somehow a systemd issue. All of the code in every .so
below can do stuff as root inside the address space of the sshd
process.
What makes sshd different is that it's run almost everywhere (hugely
attractive target) and it's often exposed to the whole Internet
(hugely attractive target) and a lot of it runs as root.
No matter how much anyone hates systemd, this class of problem does
not go away by refusing to use systemd. Systemd had already made
changes to avoid it needing to be linked to sshd, before any of this
stuff happened - this may have been a reason why the attackers
accelerated their efforts to get this deployed.
I didn't say get rid of systemd, I just said not to use it for sshd. As having systemd control sshd drags in a whole bunch of extra dependencies. I know it's untenable to create statically linked binaries for demons any more so you have to trust the system libraries, but the smaller the attack surface the better.
Similar to creating a web interface wrapper around SSH would most likely just add more vectors.