From owner-freebsd-security Mon Jun 24 23: 2:52 2002 Delivered-To: freebsd-security@freebsd.org Received: from a2.scoop.co.nz (aurora.scoop.co.nz [203.96.152.68]) by hub.freebsd.org (Postfix) with ESMTP id E655637B405 for ; Mon, 24 Jun 2002 23:02:46 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by a2.scoop.co.nz (8.12.2/8.12.2) with ESMTP id g5P62j2G059095; Tue, 25 Jun 2002 18:02:45 +1200 (NZST) (envelope-from andrew@scoop.co.nz) Date: Tue, 25 Jun 2002 18:02:45 +1200 (NZST) From: Andrew McNaughton X-X-Sender: andrew@a2 To: Brett Glass Cc: security@FreeBSD.ORG Subject: Re: Workarounds for OpenSSH problems In-Reply-To: <4.3.2.7.2.20020624231924.00db8360@localhost> Message-ID: <20020625175531.F58819-100000@a2> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 24 Jun 2002, Brett Glass wrote: > A few quick questions. > > Has anyone on the list successfully used privilege separation on the > OpenSSH 3.3p that's now in the ports tree? Does it work? Does privilege > separation have any negative side effects, such as disabling compression I've installed it. It griped and wouldn't start without `mkdir /var/empty`. Having added that it's running, but it hasn't griped about the lack of an 'sshd' user/group. I added them anyway. I don't see any sign of an sshd process running as anything other than root though. Compression is enabled when I connect, but I'm not sure that the privilege separation is actually working. > or some forms of authentication? Since I have a lot of systems to cover, > is it possible to copy just the SSHD binary of the later version over the > one that's installed by default when one installs FreeBSD? (I'd rather do > this than mess with installing a port -- especially since many of my > production machines don't have the ports collection. It's a disk hog.) `make package` on one machine, and then install from the package on the others. It's somewhat dependent on keeping your machines versions in sync, but then its also a strategy which makes it easier tokeep everythin in sync. Andrew McNaughton To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message