From owner-freebsd-security  Mon Jul  1 20: 9: 9 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 60C0537B400
	for <security@FreeBSD.ORG>; Mon,  1 Jul 2002 20:09:07 -0700 (PDT)
Received: from lariat.org (lariat.org [63.229.157.2])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 94C8343E0A
	for <security@FreeBSD.ORG>; Mon,  1 Jul 2002 20:09:06 -0700 (PDT)
	(envelope-from brett@lariat.org)
Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2])
	by lariat.org (8.9.3/8.9.3) with ESMTP id VAA12730;
	Mon, 1 Jul 2002 21:08:40 -0600 (MDT)
X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms.
Message-Id: <4.3.2.7.2.20020701210508.0226bbb0@localhost>
X-Sender: brett@localhost
X-Mailer: QUALCOMM Windows Eudora Version 4.3.2
Date: Mon, 01 Jul 2002 21:08:35 -0600
To: Garrett Wollman <wollman@lcs.mit.edu>,
	Dag-Erling Smorgrav <des@ofug.org>
From: Brett Glass <brett@lariat.org>
Subject: Re: security risk: ktrace(2) in FreeBSD prior to -current.
Cc: security@FreeBSD.ORG
In-Reply-To: <200207011850.g61IolTT078907@khavrinen.lcs.mit.edu>
References: <xzpelenim2p.fsf@flood.ping.uio.no>
 <200206301817.EAA05639@caligula.anu.edu.au>
 <xzp65zzk2ds.fsf@flood.ping.uio.no>
 <20020701135719.GA65770@palomine.net>
 <xzpelenim2p.fsf@flood.ping.uio.no>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Garrett, I agree with you. I have wiped the base install from
every machine I administer and built OpenSSH-portable 3.4 instead.
I've also turned off ChallengeResponseAuthentication on many
machines, as well as protocol version 2 on machines where it's
not needed. (SSH 1.5 is *slightly* less secure against man-in-the-
middle attacks than 2, but not enough to matter -- and all of the 
recent holes have been in SSH 2.)

--Brett

At 12:50 PM 7/1/2002, Garrett Wollman wrote:

>I don't care about the base-install ssh.  Personally, I'd rather it
>didn't exist, and I think admins who install it need to have their
>heads checked.  So there!



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message