From owner-freebsd-security  Mon Jan 29  1:58:12 2001
Delivered-To: freebsd-security@freebsd.org
Received: from serenity.mcc.ac.uk (serenity.mcc.ac.uk [130.88.200.93])
	by hub.freebsd.org (Postfix) with ESMTP id 97E0737B6A0
	for <freebsd-security@freebsd.org>; Mon, 29 Jan 2001 01:57:54 -0800 (PST)
Received: from dogma.freebsd-uk.eu.org ([130.88.200.97] ident=root)
	by serenity.mcc.ac.uk with esmtp (Exim 2.05 #4)
	id 14NB4L-000Ggx-00
	for freebsd-security@freebsd.org; Mon, 29 Jan 2001 09:57:53 +0000
Received: (from rasputin@localhost)
	by dogma.freebsd-uk.eu.org (8.11.1/8.11.1) id f0T9vri37265
	for freebsd-security@freebsd.org; Mon, 29 Jan 2001 09:57:53 GMT
	(envelope-from rasputin)
Date: Mon, 29 Jan 2001 09:57:53 +0000
From: Rasputin <rasputin@FreeBSD-uk.eu.org>
To: freebsd-security@freebsd.org
Subject: Re: OpenSSH b0rked (was RE: Problems with IPFW patch)
Message-ID: <20010129095752.A37233@dogma.freebsd-uk.eu.org>
References: <NDBBJJFIKLHBJCFDIOKGEEKHCAAA.kupek@earthlink.net> <FDEEKLDJMPFBCBKOEEINCEIGCKAA.scott@link-net.com> <20010124230626.A49802@citusc17.usc.edu> <20010125103255.A78404@FreeBSD.org> <200101262153.f0QLrLL40016@earth.backplane.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0.1i
In-Reply-To: <200101262153.f0QLrLL40016@earth.backplane.com>; from dillon@earth.backplane.com on Fri, Jan 26, 2001 at 01:53:21PM -0800
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

* Matt Dillon <dillon@earth.backplane.com> [010126 21:55]:
> :I would ask, that in -STABLE at least, the fatal error be backed
> :out to a warning, at least for a few months (with sshd ignoring the
> :directive, and continuing to run), and then only move to a fatal
> :error + die.
> :
> :-aDe
> 
>     I second this request.  It also happened when pam.conf/ssh changed.
>     Only the serial console saved me from a car trip to one of my
>     colocated machines.  Two such changes in a row for ssh is too much.
> 
> 						-Matt

In general I'd agree with Matt and aDe, but if a directive
affecting security has changed, I'd say it's better to be notified of it 
as soon as possible. 
Killing off sshd obviously makes remote admin a real problem, though;
is there another way to guarantee we'd notice ?
 
-- 
Rasputin 
Jack of All Trades :: Master of Nuns


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message