Date: Tue, 23 Jan 1996 02:21:22 +0800 From: Peter Wemm <peter@jhome.DIALix.COM> To: =?KOI8-R?Q?=E1=CE=C4=D2=C5=CA_=FE=C5=D2=CE=CF=D7?= (aka Andrey A. Chernov, Black Mage) <ache@astral.msk.su> Cc: ports@freebsd.org, security@freebsd.org Subject: Re: ssh /etc config files location.. Message-ID: <199601221821.CAA11303@jhome.DIALix.COM> In-Reply-To: Your message of "Mon, 22 Jan 1996 16:57:58 %2B0300." <GDcVv0nyd6@ache.dialup.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
>>I'm not worried so much about the config files, but I am worried about the >>run-time data generated by sshd that is written to the etcdir, and I'm also >>concerned about the critical public and private host keys. sshd_config and >>ssh_config could stay in /usr/local/etc for all I care. :-) > >I remember, we plan to make /etc read-only, no runtime data should >be written there, we need to choose another place, maybe /var/run.... >So, I still disagree but the reason is different... The /etc/ssh_host_key is the signature for the host itself. it's like the host's password for doing .rhosts authentication... If that file ever gets corrupted, or changed, it is a serious problem, because all the ssh programs that talk to your host have saved a copy of the public key, and if your host cannot prove it is the same machine, all the ssh's out there will scream "SECURITY ALERT" and refuse to authenticate because of potential "man in the middle" attacks. Those three files are vital to the correct functioning of ssh. You wouldn't put /etc/passwd and /etc/master.passwd in /var/run or /usr/local/etc. >>Exactly.. It "builds fine". It probes to see if the tools exist, and codes >>in the exact pathnames if they are there, and puts in default pathnames >>if they are not. > >It isn't acceptable for security tool, PREFIX can be != /usr/local >in general case which can cause wrong version picked from /usr/local. >So, I repeat my variant: The two programs in question (ssh-askpass and make-known-hosts) are not exactly security tools. They run without privilege. Incidently, ssh-1.2.12a.tar.gz is rather broken. In the announcement, it also said "ssh-askpass is currently broken"... Arguing about whether or not to install the broken tool is not exactly my idea of "productive". We should ignore it and not install it until it's fixed again. >>>In this case they need to be controlled >>>via USE_* variables like other stuff in ssh Makefile. I.e. corresponding >>>BUILD_DEPENDS must be ifdefed. > >>Why? If I dont have X11 installed on the target system (and NEVER will, >>because it's a dialup box), and hence will not have wish, and ssh does not >>need wish and will happily build without it, why should I be prevented >>from building the non-X11 port? > >If you don't have X11, don't install ssh-askpass. >If you install X11 - reinstall ssh port and setenv USE_WISH before. yes, but if you dont have X11, you currently CANNOT EVEN BUILD THE PORT. Also, if you have tcl74 and tk4 installed, you cannot build either because wish is installed as "wish4.0". This is not one of the files it probes for (it checks wish, wishx and wish4.1), and tcl74 / tcl and tk4 / tk are both mutually exclusive. Forcing the ssh build to be dependent on one of the two mutually exclusive packages is very bad. >>As far as I can see, they are used like this: >>if "wish" on $PATH >> WISH=`location of wish` >>else >> WISH=/usr/local/bin/wish >> echo "Wish not installed, ssh-askpass will not work." >>fi >>..... >>echo "#! $WISH" > ssh-askpass >>cat ssh-askpass.in >> ssh-askpass > >>If you build ssh and later install wish, the ssh-askpass will then work. >>It's a runtime dependency, not a BUILD_DEPENDS. > >It isn't acceptable to guess path for security tools, >path must be exact. Better way is reinstall ssh when additional >soft will be available. >The same words about perl5 & ssh-make-known-hosts, >ether path must be known exactly or this script must not be installed. ssh-askpass never used to be installed, until patch-ad. Since it's not working, it probably should not be installed for now. I would agree to not installing them if the run-time tools are missing, but I dont see how you can prevent ssh-askpass and make-known-hosts from being installed from a package if perl5/wish are missing. >There is yet one problem related to this: building package (PLIST), >it is unclear does it must have minimal ssh scripts set. Currently, there are no packages built for ssh for US-export stupidity. Satoshi once said something like this: "We can only build packages to assume standard locations of things. We can't take responsibility for not using default locations." What can you do? The odds are that the building machine has a complete system, with X11, tcl/tk/wish etc. If you build a package, it will have the complete kit, with hard coded paths in it, and a path to /usr/X11R6/bin/xauth. There's no guarantee that the machine that installs the package will have them in the same place, or even if it will have them. Requiring X11 and/or wish is not the answer there either, as it only makes everybody's life difficult. Also, since we are installing into /usr/local/bin and /usr/local/sbin, there is no more risk of having paths coded to /usr/local/bin/wish and /usr/local/bin/perl. If a hacker could place in a fake /usr/local/bin/wish, they could just as easily put in a fake /usr/local/bin/ssh and wait for you to run it. >>Hmm, I just re-ran the "make" to build the port. I can see that there >>are a few things that "configure" has got wrong... > >>It should also use the system libgmp and the zlib port rather than >>building it's own.... > >Ssh may depends of libgmp/zlib version used. Configure even >not tries to find them in the system. I spoke to the SSH author about this a few weeks ago. He said "send me working patches and I'll consider putting support for that in". I never got around to it... (I see that Mark has done the first part) >-- >Andrey A. Chernov : And I rest so composedly, /Now, in my bed, >ache@astral.msk.su : That any beholder /Might fancy me dead - >http://dt.demos.su/~ache : Might start at beholding me, /Thinking me dead. >RELCOM Team,FreeBSD Team : E.A.Poe From "For Annie" 1849 BTW: ssh-1.2.12a is SERIOUSLY crippled. It is damaged in several ways as part of the "emergency patch", and still not secure because it installed /usr/local/bin/ssh setuid-root. It now creates files in your home directory while running as root, causing potential new holes and races. :-( Cheers, -Peter
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199601221821.CAA11303>