From owner-freebsd-security  Mon Jan 29  8:16: 1 2001
Delivered-To: freebsd-security@freebsd.org
Received: from hub.lovett.com (hub.lovett.com [216.60.121.161])
	by hub.freebsd.org (Postfix) with ESMTP id B8A4B37B6A0
	for <freebsd-security@freebsd.org>; Mon, 29 Jan 2001 08:15:43 -0800 (PST)
Received: from ade by hub.lovett.com with local (Exim 3.20 #1)
	id 14NGwV-0004R5-00; Mon, 29 Jan 2001 10:14:11 -0600
Date: Mon, 29 Jan 2001 10:14:11 -0600
From: Ade Lovett <ade@FreeBSD.org>
To: Rasputin <rasputin@FreeBSD-uk.eu.org>
Cc: freebsd-security@freebsd.org, imp@village.org
Subject: Re: OpenSSH b0rked (was RE: Problems with IPFW patch)
Message-ID: <20010129101411.A16899@FreeBSD.org>
References: <NDBBJJFIKLHBJCFDIOKGEEKHCAAA.kupek@earthlink.net> <FDEEKLDJMPFBCBKOEEINCEIGCKAA.scott@link-net.com> <20010124230626.A49802@citusc17.usc.edu> <20010125103255.A78404@FreeBSD.org> <200101262153.f0QLrLL40016@earth.backplane.com> <20010129095752.A37233@dogma.freebsd-uk.eu.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20010129095752.A37233@dogma.freebsd-uk.eu.org>; from rasputin@FreeBSD-uk.eu.org on Mon, Jan 29, 2001 at 09:57:53AM +0000
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Mon, Jan 29, 2001 at 09:57:53AM +0000, Rasputin wrote:
> In general I'd agree with Matt and aDe, but if a directive
> affecting security has changed, I'd say it's better to be notified of it 
> as soon as possible. 
> Killing off sshd obviously makes remote admin a real problem, though;
> is there another way to guarantee we'd notice ?


Well, something in /usr/src/UPDATING might have helped.
Believe it or not, I do read it.  Nothing there.

Update -stable box, run mergemaster, ignore anything to do with
ssh_config or sshd_config since ours are fairly heavily different,
reboot, no sshd.

If it's not going to be backed out (a serious mistake, IMO), then
UPDATING needs to be modified at least:

200101xx
	The 'ConnectionsPerPeriod' directive in /etc/ssh/sshd_config
	has been deprecated.  Please ensure that you either comment
	out, or preferably remove, this entry BEFORE REBOOTING.
	/usr/sbin/sshd after this date WILL NOT RUN with this directive
	in place, which is likely to cause substantial issues for
	headless machines.

There.  Another mighty victory for the Confederation.

-aDe

-- 
Ade Lovett, Austin, TX.			       ade@FreeBSD.org
FreeBSD: The Power to Serve		http://www.FreeBSD.org/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message