From owner-freebsd-ports Mon Jan 22 06:34:13 1996 Return-Path: owner-ports Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id GAA16360 for ports-outgoing; Mon, 22 Jan 1996 06:34:13 -0800 (PST) Received: from sovcom.kiae.su (sovcom.kiae.su [144.206.136.1]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id GAA16282 Mon, 22 Jan 1996 06:33:34 -0800 (PST) Received: by sovcom.kiae.su id AA07144 (5.65.kiae-1 ); Mon, 22 Jan 1996 17:17:17 +0300 Received: by sovcom.KIAE.su (UUMAIL/2.0); Mon, 22 Jan 96 17:17:16 +0300 Received: (from ache@localhost) by ache.dialup.ru (8.7.3/8.7.3) id QAA01830; Mon, 22 Jan 1996 16:57:59 +0300 (MSK) To: Peter Wemm Cc: ports@freebsd.org, security@freebsd.org References: <199601221259.UAA04035@jhome.DIALix.COM> In-Reply-To: <199601221259.UAA04035@jhome.DIALix.COM>; from Peter Wemm at Mon, 22 Jan 1996 20:59:21 +0800 Message-Id: Organization: Olahm Ha-Yetzirah Date: Mon, 22 Jan 1996 16:57:58 +0300 (MSK) X-Mailer: Mail/@ [v2.42 FreeBSD] From: =?KOI8-R?Q?=E1=CE=C4=D2=C5=CA_=FE=C5=D2=CE=CF=D7?= (aka Andrey A. Chernov, Black Mage) X-Class: Fast Subject: Re: ssh /etc config files location.. Lines: 74 Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ports@freebsd.org Precedence: bulk In message <199601221259.UAA04035@jhome.DIALix.COM> Peter Wemm writes: >I'm not complaining about this from a "security" point of view, I'm >complaining about this from a "functionality" point of view. Well, I accept this point of view. >I'm not worried so much about the config files, but I am worried about the >run-time data generated by sshd that is written to the etcdir, and I'm also >concerned about the critical public and private host keys. sshd_config and >ssh_config could stay in /usr/local/etc for all I care. :-) I remember, we plan to make /etc read-only, no runtime data should be written there, we need to choose another place, maybe /var/run.... So, I still disagree but the reason is different... >Exactly.. It "builds fine". It probes to see if the tools exist, and codes >in the exact pathnames if they are there, and puts in default pathnames >if they are not. It isn't acceptable for security tool, PREFIX can be != /usr/local in general case which can cause wrong version picked from /usr/local. So, I repeat my variant: >>In this case they need to be controlled >>via USE_* variables like other stuff in ssh Makefile. I.e. corresponding >>BUILD_DEPENDS must be ifdefed. >Why? If I dont have X11 installed on the target system (and NEVER will, >because it's a dialup box), and hence will not have wish, and ssh does not >need wish and will happily build without it, why should I be prevented >from building the non-X11 port? If you don't have X11, don't install ssh-askpass. If you install X11 - reinstall ssh port and setenv USE_WISH before. >As far as I can see, they are used like this: >if "wish" on $PATH > WISH=`location of wish` >else > WISH=/usr/local/bin/wish > echo "Wish not installed, ssh-askpass will not work." >fi >..... >echo "#! $WISH" > ssh-askpass >cat ssh-askpass.in >> ssh-askpass >If you build ssh and later install wish, the ssh-askpass will then work. >It's a runtime dependency, not a BUILD_DEPENDS. It isn't acceptable to guess path for security tools, path must be exact. Better way is reinstall ssh when additional soft will be available. The same words about perl5 & ssh-make-known-hosts, ether path must be known exactly or this script must not be installed. There is yet one problem related to this: building package (PLIST), it is unclear does it must have minimal ssh scripts set. >Hmm, I just re-ran the "make" to build the port. I can see that there >are a few things that "configure" has got wrong... >It should also use the system libgmp and the zlib port rather than >building it's own.... Ssh may depends of libgmp/zlib version used. Configure even not tries to find them in the system. -- Andrey A. Chernov : And I rest so composedly, /Now, in my bed, ache@astral.msk.su : That any beholder /Might fancy me dead - http://dt.demos.su/~ache : Might start at beholding me, /Thinking me dead. RELCOM Team,FreeBSD Team : E.A.Poe From "For Annie" 1849