From owner-freebsd-security Mon Jan 22 11:08:17 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id LAA06444 for security-outgoing; Mon, 22 Jan 1996 11:08:17 -0800 (PST) Received: from skiddaw.elsevier.co.uk (skiddaw.elsevier.co.uk [193.131.222.60]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id LAA06438 for ; Mon, 22 Jan 1996 11:08:12 -0800 (PST) Received: from snowdon.elsevier.co.uk (snowdon.elsevier.co.uk [193.131.197.164]) by skiddaw.elsevier.co.uk (8.6.12/8.6.12) with ESMTP id TAA21569 for ; Mon, 22 Jan 1996 19:06:24 GMT Received: from cadair.elsevier.co.uk (actually host cadair) by snowdon with SMTP (PP); Mon, 22 Jan 1996 19:06:35 +0000 Received: (from dpr@localhost) by cadair.elsevier.co.uk (8.6.12/8.6.12) id TAA09960; Mon, 22 Jan 1996 19:06:36 GMT From: Paul Richards Message-Id: <199601221906.TAA09960@cadair.elsevier.co.uk> Subject: Re: ssh /etc config files location.. To: nate@sri.MT.net (Nate Williams) Date: Mon, 22 Jan 1996 19:06:35 +0000 (GMT) Cc: security@FreeBSD.org In-Reply-To: <199601221750.KAA22368@rocky.sri.MT.net> from "Nate Williams" at Jan 22, 96 10:50:21 am X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-security@FreeBSD.org Precedence: bulk In reply to Nate Williams who said > > > I disagree with /etc. These are not configuration files, they are > > runtime modifiable files and should go in /var. > > Huh? They are most certainly configuration files. The public/private > keys as well as ssh_config and sshd_config are not (any more so than any > other config file ) runtime modifiable once they are initially > installed, and once they are installed (as with any configuration file) > they shouldn't be touched, unlike the files in /var/run. Now, sshd.pid > is a file that should get stuck in /var/run, but I think we'd all agree > on that move. Oh, silly me. I was thinking of the .ssh files, like known_hosts. I I still don't like things touching /etc though. I don't see why we should make exceptions for ports that install into /usr/local if they happen to have host specific configurations, that's something that the local NFS admin should sort out. You'll have exactly the same problem if you administer diskless machines. Now, on a related note, how about replacing rsh with ssh in our main tree. It's backwards compatible and rsh needs to die anyway for all the same reasons that ssh exists in the first place. I tend to find most sites I'm at these days disable r* commands for security reasons anyway amd if rsh is a needed tool they install ssh instead. Having it come as default in FreeBSD would be yet another "feature" in FreeBSD's favour. -- Paul Richards. Originative Solutions Ltd. Internet: paul@netcraft.co.uk, http://www.netcraft.co.uk Phone: 0370 462071 (Mobile), +44 1225 447500 (work)