From owner-freebsd-security Mon Jun 24 20:41:21 2002 Delivered-To: freebsd-security@freebsd.org Received: from nexusxi.com (balistraria.nexusxi.com [216.123.202.196]) by hub.freebsd.org (Postfix) with SMTP id 1206D37B41C for ; Mon, 24 Jun 2002 20:40:28 -0700 (PDT) Received: (qmail 7172 invoked by uid 1000); 25 Jun 2002 03:40:27 -0000 Date: Mon, 24 Jun 2002 21:40:27 -0600 From: "Dalin S. Owen" To: Brian Behlendorf Cc: freebsd-security@freebsd.org Subject: Re: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability (fwd) Message-ID: <20020624214027.A7100@nexusxi.com> References: <20020624203146.A5507@nexusxi.com> <20020624202204.P310-100000@yez.hyperreal.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="EVF5PPMfhYS0aIcm" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020624202204.P310-100000@yez.hyperreal.org>; from brian@hyperreal.org on Mon, Jun 24, 2002 at 08:22:28PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --EVF5PPMfhYS0aIcm Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable You can't compromise it if you can't connect to it. :) On Mon, Jun 24, 2002 at 08:22:28PM -0700, Brian Behlendorf wrote: >=20 > Well, the choice to preserve that behavior and run a potentially > compromiseable sshd is yours. >=20 > Brian >=20 > On Mon, 24 Jun 2002, Dalin S. Owen wrote: > > I can't do that, as I use the login.conf caps that only work with the F= reeBSD-bundled ssh. > > > > On Mon, Jun 24, 2002 at 04:38:17PM -0700, Brian Behlendorf wrote: > > > On Mon, 24 Jun 2002, Dalin S. Owen wrote: > > > > FreeBSD's OpenSSH is too old, it doesn't have PrivSep.. :( So firew= all > > > > your port 22 guys. :) > > > > > > I upgraded to openssh-portable 3.3p1 from ports; note that this morni= ng > > > the port was updated to build openssl 0.9.6d as well, rather than use > > > FreeBSD's openssl libs. > > > > > > I also had to enable privsep; this requires creating an sshd user & g= roup, > > > and creating an empty /var/empty/ for the priv separator to chroot to. > > > Hopefully the openssh-portable port can be updated to create that acc= ount > > > & dir at some point, since privsep is on now be default. > > > > > > Brian > > > > > > > > > > > > > >=20 --=20 Regards, Dalin S. Owen Nexus XI Corp. Tel: +1-780-708-2480 Email: dowen@nexusxi.com Web: http://www.nexusxi.com/ --EVF5PPMfhYS0aIcm Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAj0X5ioACgkQKZhyFXMVXuKFBACeKFNGc8+Tdc6Uur484hXhXO4v w5MAoK5zp5PGNAuRyR7HWsnh++65oXwW =xPl6 -----END PGP SIGNATURE----- --EVF5PPMfhYS0aIcm-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message