Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 27 Mar 2001 13:14:56 -0500 (EST)
From:      Robert Watson <rwatson@FreeBSD.ORG>
To:        Rob Simmons <rsimmons@wlcg.com>
Cc:        freebsd-security@FreeBSD.ORG
Subject:   OpenSSH (was: Re: SSHD revelaing too much information.)
Message-ID:  <Pine.NEB.3.96L.1010327130806.81313R-100000@fledge.watson.org>
In-Reply-To: <Pine.BSF.4.33.0103271233160.10105-100000@mail.wlcg.com>

next in thread | previous in thread | raw e-mail | index | archive | help

On Tue, 27 Mar 2001, Rob Simmons wrote:

> The portable version of OpenSSH, 2.5.2p2 has good support for PAM now. 
> I have compiled it for x86 Solaris and it works great.  I had asked a
> little bit ago about the plans to move to the 2.5 branch of OpenSSH and
> the general sentiment was that a couple of things were still broken in
> that branch, such as TIS.  I took a look at the changelog and I don't
> see anything about TIS being fixed, nor do I see anything in the TODO
> about fixing it.  Are there any more problems with 2.5 before moving it
> into STABLE? 

Originally there was only the OpenBSD distribution of OpenSSH, which was
imported shortly after its initial release and the cleaning up of crypto
distribution concerns regarding the US.  At some point, the portable
distribution also became available, but we have chosen to remain with the
OpenBSD distribution, while incorporating some of the portable
distribution's features (such as PAM), as well as local changes.  I'm not
familiar with the complete line of reasoning by which we should remain
with the OpenBSD distribution, but know that it in part reflects the
similarity of the OpenBSD code base to ours: while the portable
distribution works fine on FreeBSD, the claim has been made that its
source code is substantially more convoluted as a result of compatibility
requirements introduced for other platforms. 

However, given the increasing divergence of our OpenSSH from the OpenBSD
distribution (especially in ways more in line with the portable
distribution, such as PAM), this is a decision that we should be
revisiting regularly.  The task of merging back our changes into the
OpenBSD distribution in each import is substantial, and has been one
reasons we have not moved forward with new OpenSSH versions immediately on
their release.  We have been careful to merge back security fixes, which
is one reason why the (apparently controversial) change was made to the
version string -- we wanted to indicate to version scanning software that
we were not vulnerable to security problems present in the OpenSSH major
number used, and prevent false positives being associated with the base
FreeBSD install.  I.e., just because it says 2.3.x doesn't mean it is
vulnerable to the traffic analysis or hash weakness vulnerabilities. 

Robert N M Watson             FreeBSD Core Team, TrustedBSD Project
robert@fledge.watson.org      NAI Labs, Safeport Network Services




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1010327130806.81313R-100000>