Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 13 Jun 2015 14:48:04 +0200
From:      Michelle Sullivan <michelle@sorbs.net>
To:        Carmel NY <carmel_ny@outlook.com>
Cc:        FreeBSD Ports <freebsd-ports@freebsd.org>
Subject:   Re: OpenSSL Security Advisory [11 Jun 2015]
Message-ID:  <557C2684.90302@sorbs.net>
In-Reply-To: <BLU436-SMTP117F30000C7F3A01C51964280BA0@phx.gbl>
References:  <201506130551.t5D5pqiO084627@gw.catspoiler.org> <557C1042.4050405@sorbs.net> <20150613113644.GA1259@xtaz.uk> <BLU436-SMTP117F30000C7F3A01C51964280BA0@phx.gbl>
next in thread | previous in thread | raw e-mail | index | archive | help 
Carmel NY wrote:
> On Sat, 13 Jun 2015 12:36:44 +0100, Matt Smith stated:
>
>   
>> The other alternatives are as you say, put /usr/local/bin before 
>> /usr/bin in the $PATH. Or add an alias for commands like ssh to point to 
>> the ports version. These methods aren't quite as clean though.
>>     
>
> Swapping the PATH can, in a few instances, really mess up attempting to build
> a port. I finally gave up and used the "alias" idea for openssl. It appears
> to work Okay.
>
>   
>From a security aspect...

Do all your users alias?  (assumption: its more than just you on the system)
Do you check the alias is set everytime you login to a session?
If you change to another shell for any reason is the alias persistent? 
(eg as root (defaults to csh) some times I have to do: sh -c 'for a in x
y z ; do ( cd ${a} && rsync -e ssh remote.server:/path ) ; done' ) - and
do other users know that this would be wrong?

See the point I mean?

For the security conscious one would know to use the full path of ssh,
most do not do this... a large percentage have no idea that they would
even need to let alone remember.

Regards,

Michelle

PS: There is a workaround for ssh clients in /etc/ssh/ssh_config to stop
it falling back to "insecure" protocols - though every freebsd-update
attempts to change this file back to the default... fortunately I have
puppet to reset the file in the event of me missing the update/reset.

-- 
Michelle Sullivan
http://www.mhix.org/

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?557C2684.90302>