From owner-freebsd-security Mon Jun 24 16:36:28 2002 Delivered-To: freebsd-security@freebsd.org Received: from hyperreal.org (taz3.hyperreal.org [209.133.83.22]) by hub.freebsd.org (Postfix) with SMTP id 1257837B401 for ; Mon, 24 Jun 2002 16:36:23 -0700 (PDT) Received: (qmail 25907 invoked from network); 24 Jun 2002 23:36:14 -0000 Received: from localhost.hyperreal.org (HELO yez.hyperreal.org) (127.0.0.1) by localhost.hyperreal.org with SMTP; 24 Jun 2002 23:36:14 -0000 Received: (qmail 2422 invoked by uid 1000); 24 Jun 2002 23:38:17 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 24 Jun 2002 23:38:17 -0000 Date: Mon, 24 Jun 2002 16:38:17 -0700 (PDT) From: Brian Behlendorf To: "Dalin S. Owen" Cc: Jason DiCioccio , Subject: Re: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability (fwd) In-Reply-To: <20020624162040.A280@nexusxi.com> Message-ID: <20020624163538.H10398-100000@yez.hyperreal.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Rating: localhost.hyperreal.org 1.6.2 0/1000/N Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 24 Jun 2002, Dalin S. Owen wrote: > FreeBSD's OpenSSH is too old, it doesn't have PrivSep.. :( So firewall > your port 22 guys. :) I upgraded to openssh-portable 3.3p1 from ports; note that this morning the port was updated to build openssl 0.9.6d as well, rather than use FreeBSD's openssl libs. I also had to enable privsep; this requires creating an sshd user & group, and creating an empty /var/empty/ for the priv separator to chroot to. Hopefully the openssh-portable port can be updated to create that account & dir at some point, since privsep is on now be default. Brian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message