From owner-freebsd-security  Mon Jun 24 22:35:10 2002
Delivered-To: freebsd-security@freebsd.org
Received: from lariat.org (lariat.org [63.229.157.2])
	by hub.freebsd.org (Postfix) with ESMTP id 3F06737B401
	for <security@freeBSD.ORG>; Mon, 24 Jun 2002 22:35:05 -0700 (PDT)
Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [63.229.157.2])
	by lariat.org (8.9.3/8.9.3) with ESMTP id XAA13131
	for <security@freeBSD.ORG>; Mon, 24 Jun 2002 23:34:53 -0600 (MDT)
X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms.
Message-Id: <4.3.2.7.2.20020624231924.00db8360@localhost>
X-Sender: brett@localhost
X-Mailer: QUALCOMM Windows Eudora Version 4.3.2
Date: Mon, 24 Jun 2002 23:34:51 -0600
To: security@freeBSD.ORG
From: Brett Glass <brett@lariat.org>
Subject: Workarounds for OpenSSH problems
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

A few quick questions.

Has anyone on the list successfully used privilege separation on the 
OpenSSH 3.3p that's now in the ports tree? Does it work? Does privilege 
separation have any negative side effects, such as disabling compression 
or some forms of authentication? Since I have a lot of systems to cover, 
is it possible to copy just the SSHD binary of the later version over the 
one that's installed by default when one installs FreeBSD? (I'd rather do 
this than mess with installing a port -- especially since many of my 
production machines don't have the ports collection. It's a disk hog.)

If there's a problem with privilege separation or authentication on the 
3.3p port, I'd be tempted to use the commercial SSH for awhile. SSH, Inc. 
allows unlimited non-commercial use or a 30 day free evaluation period 
for commercial use; by the time it expires, the dust will probably have 
settled and I can switch back. Or I always have the option of paying SSH, 
Inc. for a license for the commercial uses and continuing to use the code 
for non-commercial uses.

--Brett Glass



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message