From owner-freebsd-questions Tue Feb 11 23:23:43 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5D0B937B401 for ; Tue, 11 Feb 2003 23:23:41 -0800 (PST) Received: from apollo.laserfence.net (apollo.laserfence.net [196.44.69.138]) by mx1.FreeBSD.org (Postfix) with ESMTP id 79D0A43FB1 for ; Tue, 11 Feb 2003 23:23:39 -0800 (PST) (envelope-from will@unfoldings.net) Received: from localhost ([127.0.0.1]) by apollo.laserfence.net with esmtp (Exim 4.10) id 18irF2-000KVr-00 for freebsd-questions@freebsd.org; Wed, 12 Feb 2003 09:23:36 +0200 Received: from prometheus-p0.datel.laserfence.net ([192.168.255.1] helo=prometheus.home.laserfence.net) by apollo.laserfence.net with esmtp (Exim 4.10) id 18irEl-000KVh-00 for freebsd-questions@freebsd.org; Wed, 12 Feb 2003 09:23:20 +0200 Received: from phoenix.home.laserfence.net ([192.168.0.2]) by prometheus.home.laserfence.net with esmtp (Exim 4.10) id 18irEh-0005c5-00 for freebsd-questions@freebsd.org; Wed, 12 Feb 2003 09:23:15 +0200 Received: from will by phoenix.home.laserfence.net with local (Exim 4.10) id 18irEg-0000rQ-00 for freebsd-questions@freebsd.org; Wed, 12 Feb 2003 09:23:14 +0200 From: Willie Viljoen To: freebsd-questions@freebsd.org Subject: Re: OpenSSH security hole on FreeBSD? Date: Wed, 12 Feb 2003 09:23:14 +0200 User-Agent: KMail/1.5 References: <20030211194457.A22618@mail.hitmedia.com> In-Reply-To: <20030211194457.A22618@mail.hitmedia.com> MIME-Version: 1.0 Content-Disposition: inline Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <200302120923.14175.will@unfoldings.net> X-Spam-Score: (/) X-Scanner: exiscan for exim4 (http://duncanthrax.net/exiscan/) *18irEl-000KVh-00*vGa58rmcz.2* X-Virus-Scanned: by AMaViS snapshot-20020422 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Wednesday 12 February 2003 5:44, BSD baby wrote: > I install OpenSSH like this: > > cd /usr/ports/security/openssh-portable > make -DOPENSSH_OVERWRITE_BASE install > > That puts things here: > /usr/bin/ssh > /usr/sbin/sshd > /etc/ssh/sshd_config > > BUT... it seems to be IGNORING the sshd_config! > > TWO major security holes: > > #1 - It won't let me turn off passwords > (PasswordAuthentication no) > > #2 - It only requires I type the first 8 characters > of my password! (I use 16-character password.) > > > I don't have these problems on OpenBSD. > Any idea why they would be on FreeBSD? They shouldn't. Why are you using the ported version though? The version included in base is in many cases more secure than the version from ports, and it's been checked and poked with a stick by FreeBSD coders to make sure every thing is compatible, not to mention that it's properly PAMified (which the ports one doesn't seem to be) If you must have the latest version, rather get it from base and while you're at it, upgrade the rest of base too. Install the sources in /usr/src and use cvsup (in ports) to get the latest source, then follow instructions in /usr/src/UPDATING to upgrade your system. Will > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message -- Willie Viljoen Freelance IT Consultant 214 Paul Kruger Avenue, Universitas Bloemfontein 9321 South Africa +27 51 522 15 60 +27 51 522 44 36 (after hours) +27 82 404 03 27 (mobile) will@unfoldings.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message