From owner-freebsd-questions Tue Jun 25 13:59:42 2002 Delivered-To: freebsd-questions@freebsd.org Received: from smtp.infracaninophile.co.uk (happy-idiot-talk.infracaninophile.co.uk [81.2.69.218]) by hub.freebsd.org (Postfix) with ESMTP id 11F8C37B400 for ; Tue, 25 Jun 2002 13:59:36 -0700 (PDT) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost.infracaninophile.co.uk [IPv6:::1]) by smtp.infracaninophile.co.uk (8.12.4/8.12.4) with ESMTP id g5PKxY4W050344; Tue, 25 Jun 2002 21:59:34 +0100 (BST) (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost) by happy-idiot-talk.infracaninophile.co.uk (8.12.4/8.12.4/Submit) id g5PKxSIf050343; Tue, 25 Jun 2002 21:59:28 +0100 (BST) Date: Tue, 25 Jun 2002 21:59:28 +0100 From: Matthew Seaman To: Scott Mitchell Cc: Christopher Schulte , Lord Raiden , Marco Radzinschi , FreeBDS-Questions Subject: Re: Upcoming OpenSSH vulnerability (fwd) Message-ID: <20020625205928.GA50230@happy-idiot-talk.infracaninophi> References: <5.1.1.6.2.20020624224948.02923518@pop3s.schulte.org> <20020624234646.G22328-100000@mail.radzinschi.com> <4.2.0.58.20020625134233.009992b0@pop.netzero.net> <5.1.1.6.2.20020625124040.041c50f0@pop3s.schulte.org> <20020625205840.B381@fishballoon.dyndns.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020625205840.B381@fishballoon.dyndns.org> User-Agent: Mutt/1.5.1i Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, Jun 25, 2002 at 08:58:40PM +0100, Scott Mitchell wrote: > With previous ssh vulnerabilities I've been able to just patch the base > system, by rebuilding the world or using the patch included with the > advisory. However, to get to 3.3 it looks like I'd need to install a port. > There are two OpenSSH ports: security/openssh and security/openssh-portable > What's the difference between these two ports? security/openssh is the straight OpenBSD code, also used in NetBSD. security/openssh-portable is the modified portable version everyone else uses. The main difference is that openssh-portable includes pam support. > Which one should I install to deal with this vulnerability? Either will do: however the plan is that OpenSSH as supplied in the base system will be upgraded to OpenSSH portable in the very near future. As there shouldn't be too many FreeBSD specific modifications to the portable code, it's likely that we'll be tracking new releases of OpenSSH rather more closely than has been the case up to now. I'd install openssh-portable 3.3p1 now, before the full disclosure of the vulnerability on (I think) Thursday, which should tide you over until the base system gets 3.4p1 with the full patch. You need to install 3.3p1 from a ports tree cvsup'd sometime after last night to get the separation of privilege thing, which will provide almost complete protection from the security hole. Remember to copy your host keys to /usr/local/etc: cd /etc/ssh cp ssh_host*key* /usr/local/etc/ and set: sshd_program="usr/local/sbin/sshd" in /etc/rc.conf to use the new daemon by default. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way Tel: +44 1628 476614 Marlow Fax: +44 0870 0522645 Bucks., SL7 1TH UK To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message