From owner-freebsd-security  Thu Dec 21  8:23:41 2000
From owner-freebsd-security@FreeBSD.ORG  Thu Dec 21 08:23:39 2000
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from roble.com (mx0.roble.com [206.40.34.14])
	by hub.freebsd.org (Postfix) with ESMTP id 5B51337B400
	for <security@FreeBSD.ORG>; Thu, 21 Dec 2000 08:23:38 -0800 (PST)
Received: from localhost (marquis@localhost)
	by roble.com  with ESMTP id eBLGNbj70925;
	Thu, 21 Dec 2000 08:23:37 -0800 (PST)
Date: Thu, 21 Dec 2000 08:23:37 -0800 (PST)
From: Roger Marquis <marquis@roble.com>
To: security@FreeBSD.ORG
Cc: Dag-Erling Smorgrav <des@ofug.org>
Subject: Re: dsniff 2.3 info:
In-Reply-To: <xzppuimf13e.fsf@flood.ping.uio.no>
Message-ID: <Pine.BSF.4.21.0012210758270.70602-100000@roble.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On 21 Dec 2000, Dag-Erling Smorgrav wrote:
> Roger Marquis <marquis@roble.com> writes:
> > Bad administrators?  You must be joking.  [it's FreeBSD's fault...]

Dag, I would prefer if you could quote what I said instead of
inserting what you want to hear and attempting to make it look like
that's what I said.

For the record nobody said "it's FreeBSD's fault..." other than
Dag.  The ssh ports, however, are the source of many ssh
identity-has-changed errors (the original point of this thread).
This is the result of some incorrect assumptions on the part of
the ports maintainers and a lack of port standards or enforcement
in general.

> We are eagerly anticipating patches that address the issues you
> mention. You do have patches, don't you?

This answer, as we used to say in the 60s, is a cop-out.  Sysadmins,
though they may be experience juggling various applications, are
not programmers nor should they try to be.  Expecting everyone who
uses FreeBSD to be a developer is neither realistic nor a good way
to encourage a broad user-base.  Administration and programming
are high-level functions and you can't specialize in both, at least
not well.

Ports maintainers, on the other hand, should have a better set of
guidelines to work from.  This is especially the case for security
related applications like ssh.  Just yesterday I ran "cd
/usr/ports/security/openssh; make --prefix=/; make install".  The
port A) ignored the "--prefix", B) ignored the pre-installed OS
binaries, keys, and config files, and C) failed to check inetd.conf
before putting an sshd.sh under /usr/local/etc/rc.d.

The problems with these ports are obvious.  Ignore them if you wish
but at least don't simultaneously claim that they're the result of
"stupid users" or "stupid administrators".

IMHO,
-- 
Roger Marquis
Roble Systems Consulting
http://www.roble.com/




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message