From owner-freebsd-security  Mon Jun 24 23:13:37 2002
Delivered-To: freebsd-security@freebsd.org
Received: from lariat.org (lariat.org [63.229.157.2])
	by hub.freebsd.org (Postfix) with ESMTP id 12B9237B4BC
	for <security@FreeBSD.ORG>; Mon, 24 Jun 2002 23:10:05 -0700 (PDT)
Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [63.229.157.2])
	by lariat.org (8.9.3/8.9.3) with ESMTP id AAA13446;
	Tue, 25 Jun 2002 00:09:55 -0600 (MDT)
X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms.
Message-Id: <4.3.2.7.2.20020625000559.00dcb2c0@localhost>
X-Sender: brett@localhost
X-Mailer: QUALCOMM Windows Eudora Version 4.3.2
Date: Tue, 25 Jun 2002 00:09:53 -0600
To: Andrew McNaughton <andrew@scoop.co.nz>
From: Brett Glass <brett@lariat.org>
Subject: Re: Workarounds for OpenSSH problems
Cc: security@FreeBSD.ORG
In-Reply-To: <20020625175531.F58819-100000@a2>
References: <4.3.2.7.2.20020624231924.00db8360@localhost>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

At 12:02 AM 6/25/2002, Andrew McNaughton wrote:

>I've installed it.  It griped and wouldn't start without `mkdir
>/var/empty`.  Having added that it's running, but it hasn't griped about
>the lack of an 'sshd' user/group.  I added them anyway.  I don't see any
>sign of an sshd process running as anything other than root though.
>Compression is enabled when I connect, but I'm not sure that the privilege
>separation is actually working.

I'd be inclined to think it wasn't. Did you make with -D OPENSSH_OVERWRITE_BASE
so that it overwrote the old implementation? (You might still be running the
old one.)

>`make package` on one machine, and then install from the package on the
>others.  It's somewhat dependent on keeping your machines versions in
>sync, but then its also a strategy which makes it easier tokeep everythin
>in sync.

I've got to deal with machines running several versions. Some of which are
old enough that they might not be supported by the latest port.

--Brett


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message