From owner-freebsd-security Tue Mar 27 10:15:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id C4CC437B718 for ; Tue, 27 Mar 2001 10:15:26 -0800 (PST) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.1/8.11.1) with SMTP id f2RIEuh93955; Tue, 27 Mar 2001 13:15:01 -0500 (EST) (envelope-from robert@fledge.watson.org) Date: Tue, 27 Mar 2001 13:14:56 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org To: Rob Simmons Cc: freebsd-security@FreeBSD.ORG Subject: OpenSSH (was: Re: SSHD revelaing too much information.) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 27 Mar 2001, Rob Simmons wrote: > The portable version of OpenSSH, 2.5.2p2 has good support for PAM now. > I have compiled it for x86 Solaris and it works great. I had asked a > little bit ago about the plans to move to the 2.5 branch of OpenSSH and > the general sentiment was that a couple of things were still broken in > that branch, such as TIS. I took a look at the changelog and I don't > see anything about TIS being fixed, nor do I see anything in the TODO > about fixing it. Are there any more problems with 2.5 before moving it > into STABLE? Originally there was only the OpenBSD distribution of OpenSSH, which was imported shortly after its initial release and the cleaning up of crypto distribution concerns regarding the US. At some point, the portable distribution also became available, but we have chosen to remain with the OpenBSD distribution, while incorporating some of the portable distribution's features (such as PAM), as well as local changes. I'm not familiar with the complete line of reasoning by which we should remain with the OpenBSD distribution, but know that it in part reflects the similarity of the OpenBSD code base to ours: while the portable distribution works fine on FreeBSD, the claim has been made that its source code is substantially more convoluted as a result of compatibility requirements introduced for other platforms. However, given the increasing divergence of our OpenSSH from the OpenBSD distribution (especially in ways more in line with the portable distribution, such as PAM), this is a decision that we should be revisiting regularly. The task of merging back our changes into the OpenBSD distribution in each import is substantial, and has been one reasons we have not moved forward with new OpenSSH versions immediately on their release. We have been careful to merge back security fixes, which is one reason why the (apparently controversial) change was made to the version string -- we wanted to indicate to version scanning software that we were not vulnerable to security problems present in the OpenSSH major number used, and prevent false positives being associated with the base FreeBSD install. I.e., just because it says 2.3.x doesn't mean it is vulnerable to the traffic analysis or hash weakness vulnerabilities. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message