Date: 07 Mar 2000 08:49:09 +0200 From: Ville-Pertti Keinonen <will@iki.fi> To: Edwin Kremer <edwin+freebsd-current@cs.uu.nl> Cc: freebsd-current@freebsd.org Subject: Re: openssh question Message-ID: <86og8r2s2i.fsf@not.demophon.com> In-Reply-To: Edwin Kremer's message of "6 Mar 2000 12:29:55 %2B0200" References: <200003060833.AAA18027@windsor.research.att.com> <200003060920.CAA57713@harmony.village.org> <20000306112939.A24401@cs.uu.nl.newsgate.clinet.fi>
next in thread | previous in thread | raw e-mail | index | archive | help
Edwin Kremer <edwin+freebsd-current@cs.uu.nl> writes: > " OpenSSH is based on my version from back in 1995 or 1996. The OpenSSH > " folks have fixed many of the (security) bugs in that version, but not > " all of them when I last checked. Some of the problems in SSH1 are > " very fundamental. > " > " I do not recommend use of OpenSSH (or SSH1 generally, for that matter). > > > There hasn't been much followup on this. Anybody here who cares to > comment on this? What issues are relevant here and how bad is it? The uid-swapping code is still used by OpenSSH despite the fact that it can cause all sorts of security problems. Not all problems apply to all platforms, but I can't remember all of them and wouldn't rely on them not to cause problems on OpenBSD or FreeBSD (IIRC there are some that do). This has been fixed in later (less free) versions of ssh1. There are a number of ways to fix it. Basically switching uids from root to a user and back needs to be avoided. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86og8r2s2i.fsf>