Date: Mon, 24 Jun 2002 21:40:27 -0600 From: "Dalin S. Owen" <dowen@nexusxi.com> To: Brian Behlendorf <brian@hyperreal.org> Cc: freebsd-security@freebsd.org Subject: Re: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability (fwd) Message-ID: <20020624214027.A7100@nexusxi.com> In-Reply-To: <20020624202204.P310-100000@yez.hyperreal.org>; from brian@hyperreal.org on Mon, Jun 24, 2002 at 08:22:28PM -0700 References: <20020624203146.A5507@nexusxi.com> <20020624202204.P310-100000@yez.hyperreal.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--EVF5PPMfhYS0aIcm Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable You can't compromise it if you can't connect to it. :) On Mon, Jun 24, 2002 at 08:22:28PM -0700, Brian Behlendorf wrote: >=20 > Well, the choice to preserve that behavior and run a potentially > compromiseable sshd is yours. >=20 > Brian >=20 > On Mon, 24 Jun 2002, Dalin S. Owen wrote: > > I can't do that, as I use the login.conf caps that only work with the F= reeBSD-bundled ssh. > > > > On Mon, Jun 24, 2002 at 04:38:17PM -0700, Brian Behlendorf wrote: > > > On Mon, 24 Jun 2002, Dalin S. Owen wrote: > > > > FreeBSD's OpenSSH is too old, it doesn't have PrivSep.. :( So firew= all > > > > your port 22 guys. :) > > > > > > I upgraded to openssh-portable 3.3p1 from ports; note that this morni= ng > > > the port was updated to build openssl 0.9.6d as well, rather than use > > > FreeBSD's openssl libs. > > > > > > I also had to enable privsep; this requires creating an sshd user & g= roup, > > > and creating an empty /var/empty/ for the priv separator to chroot to. > > > Hopefully the openssh-portable port can be updated to create that acc= ount > > > & dir at some point, since privsep is on now be default. > > > > > > Brian > > > > > > > > > > > > > >=20 --=20 Regards, Dalin S. Owen Nexus XI Corp. Tel: +1-780-708-2480 Email: dowen@nexusxi.com Web: http://www.nexusxi.com/ --EVF5PPMfhYS0aIcm Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAj0X5ioACgkQKZhyFXMVXuKFBACeKFNGc8+Tdc6Uur484hXhXO4v w5MAoK5zp5PGNAuRyR7HWsnh++65oXwW =xPl6 -----END PGP SIGNATURE----- --EVF5PPMfhYS0aIcm-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020624214027.A7100>