From owner-freebsd-security Fri Jun 28 18:11:51 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9C87637B401; Fri, 28 Jun 2002 18:11:45 -0700 (PDT) Received: from nycsmtp1out.rdc-nyc.rr.com (nycsmtp1out.rdc-nyc.rr.com [24.29.99.226]) by mx1.FreeBSD.org (Postfix) with ESMTP id C3C7243E09; Fri, 28 Jun 2002 18:11:44 -0700 (PDT) (envelope-from scottro@despammed.com) Received: from despammed.com (66-108-172-188.nyc.rr.com [66.108.172.188]) by nycsmtp1out.rdc-nyc.rr.com (8.12.1/Road Runner SMTP Server 1.0) with SMTP id g5T1B1s3005463; Fri, 28 Jun 2002 21:11:02 -0400 (EDT) Date: Fri, 28 Jun 2002 21:11:38 -0500 From: Scott Robbins To: Scott Gerhardt Cc: FreeBSD , freebsd-security@FreeBSD.ORG Subject: Re: Sshd fix Message-ID: <20020629021138.GA3460@scott1.homeunix.net> Mail-Followup-To: Scott Gerhardt , FreeBSD , freebsd-security@FreeBSD.ORG References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Jun 28, 2002 at 06:52:40PM -0600, Scott Gerhardt wrote: > For the sshd fix, could't I just strip the base openssh from the system and > install the updated openssh-3.4 from the ports? > > If so, what is the best method to disable/eliminate openssh from the base > system? This is what I did, and it seems to work. (I'd be grateful if someone pointed out anything I did wrong. Part of it was gotten from a post by someone else, and the rest I figured out, for better or worse, on my own. cvsup ports to make sure you have 3.4. Make install. Edit /etc/rc.conf Change enable_sshd="YES" to a "NO" add the line sshd_program="/usr/local/sbin/ssshd" In /usr/local/etc/rc.d you'll find that it's put a script called sshd.sh.sample. Rename that to sshd.sh You've probably seen the various advisories that suggest taking the ChallengeResponse line and changing it to no (and uncomment it as well) Lastly, until I renamed /usr/sbin/sshd, it kept giving me the old version number--so, stop sshd, and rename /usr/sbin/sshd to something else. Then, start the new one /usr/local/sbin/sshd This seems to work. HTH Scott Robbins To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message