From owner-freebsd-security Mon Jul 1 17:34:34 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 04A4E37B400 for ; Mon, 1 Jul 2002 17:34:32 -0700 (PDT) Received: from inigo.digitaldeck.com (twindolphin.digitaldeck.com [66.124.240.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7E41043E09 for ; Mon, 1 Jul 2002 17:34:31 -0700 (PDT) (envelope-from chris@digitaldeck.com) Received: from IVANOVA2K (ivanova-2k.office-ca1.digitaldeck.com [192.168.1.133]) by inigo.digitaldeck.com (8.11.6/8.11.3) with SMTP id g620YVu61296 for ; Mon, 1 Jul 2002 17:34:31 -0700 (PDT) (envelope-from chris@digitaldeck.com) From: "Chris McCluskey" To: Subject: FW: Which SSH now (and when)? Date: Mon, 1 Jul 2002 17:35:08 -0700 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I didn't get any response from -questions, so I thought I would try here. I know some are stupid, but keep with me ok?! ___ I was hoping that everyone out there can clarify a couple questions (and/or possibly false statements) I have regarding SSH. FreeBSD (4.5) SSH in the system source is (or was) built from OpenSSH3.3? FreeBSD (4.5) ships with the SSH ports (ssh and ssh2) from ssh.com? To stay consistent with the FreeBSD project then, it would be a good idea to build out of the openssh or openssh-portable ports instead of the ssh/ssh2 ports -- using the portable port if and only if PAM support is needed? Have the security issues recently released from ISS and OpenSSH have been fixed and the ports in openssh and openssh-portable (both OpenSSH 3.4) have been initially tested, and found to be ok in the following areas -- 1) ChallengeResponseAuth is now fixed, 2) key exchanges with previously created DSA or RSA keys are now working currently, and 3) PRIVSEP is now enabled by default in both openssh ports? Are there any issues that should keep me from using the ssh.com ports (besides the possible security issues with SSH1 on a protocol level) and the lack of a PRIVSEP mechanism? Thanks. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message