From owner-freebsd-security  Wed Jan 31  2:25:49 2001
Delivered-To: freebsd-security@freebsd.org
Received: from klapaucius.zer0.org (klapaucius.zer0.org [204.152.186.45])
	by hub.freebsd.org (Postfix) with ESMTP
	id 2D07937B684; Wed, 31 Jan 2001 02:25:27 -0800 (PST)
Received: by klapaucius.zer0.org (Postfix, from userid 1001)
	id CF2FF239AAD; Wed, 31 Jan 2001 02:25:26 -0800 (PST)
Date: Wed, 31 Jan 2001 02:25:26 -0800
From: Gregory Sutter <gsutter@zer0.org>
To: Ade Lovett <ade@FreeBSD.org>
Cc: Rasputin <rasputin@FreeBSD-uk.eu.org>,
	freebsd-security@freebsd.org, imp@village.org
Subject: Re: OpenSSH b0rked (was RE: Problems with IPFW patch)
Message-ID: <20010131022526.B656@klapaucius.zer0.org>
References: <NDBBJJFIKLHBJCFDIOKGEEKHCAAA.kupek@earthlink.net> <FDEEKLDJMPFBCBKOEEINCEIGCKAA.scott@link-net.com> <20010124230626.A49802@citusc17.usc.edu> <20010125103255.A78404@FreeBSD.org> <200101262153.f0QLrLL40016@earth.backplane.com> <20010129095752.A37233@dogma.freebsd-uk.eu.org> <20010129101411.A16899@FreeBSD.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20010129101411.A16899@FreeBSD.org>; from ade@FreeBSD.org on Mon, Jan 29, 2001 at 10:14:11AM -0600
Organization: Zer0
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On 2001-01-29 10:14 -0600, Ade Lovett <ade@FreeBSD.org> wrote:
> On Mon, Jan 29, 2001 at 09:57:53AM +0000, Rasputin wrote:
> > Killing off sshd obviously makes remote admin a real problem, though;
> > is there another way to guarantee we'd notice ?
> 
> If it's not going to be backed out (a serious mistake, IMO), then
> UPDATING needs to be modified at least:
> 
> 200101xx
> 	The 'ConnectionsPerPeriod' directive in /etc/ssh/sshd_config
> 	has been deprecated.  Please ensure that you either comment
> 	out, or preferably remove, this entry BEFORE REBOOTING.
> 	/usr/sbin/sshd after this date WILL NOT RUN with this directive
> 	in place, which is likely to cause substantial issues for
> 	headless machines.

If it's deprecated, it's deprecated, and people shouldn't use it. That's
not what's been done, though. The support for it has been removed, and
in a sudden, unannounced, and poorly-implemented fashion.  Either back
this out or repair it so that sshd issues a warning and continues
running.  This is absolutely pointless breakage in a product that's
supposed to be _stable_.  Only the fact that I happened to be 
particularly fastidious in my mergemastering saved me from having to
borrow a car and drive to my servers.  It would have pissed me off
even more otherwise.

Greg
-- 
Gregory S. Sutter                 Bureaucrats cut red tape--lengthwise.
mailto:gsutter@zer0.org 
http://www.zer0.org/~gsutter/ 
hkp://wwwkeys.pgp.net/0x845DFEDD


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message