Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 26 Jun 2002 05:11:32 -0700
From:      "Philip J. Koenig" <pjklist@ekahuna.com>
To:        security@FreeBSD.ORG
Cc:        Brett Glass <brett@lariat.org>
Subject:   Binary upgrade available
Message-ID:  <20020626121130543.AAA754@empty1.ekahuna.com@pc02.ekahuna.com>
In-Reply-To: <bulk.41778.20020626034755@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
> Date: Tue, 25 Jun 2002 19:44:43 -0600
> From: Brett Glass <brett@lariat.org>
> 
> Thanks to Jeroen, a binary package that updates the OpenSSH in the base 
> FreeBSD install to 3.3p1 is available at
> 
> http://bob.cryptohill.net/~gelderen/openssh-overwrite-base-3.3p1_1.tgz
> 
> This package will install right over the base install in FreeBSD 4.4, 
> 4.5, and 4.6, and will create the necessary pseudo-user, group, and 
> chroot directory for privilege separation. It won't touch your existing 
> sshd_config, so you'll need to add
> 
> UsePrivilegeSeparation yes
> Compression yes
> 
> to that file and remove any obsolete directives that this new version 
> complains about.
> 
> Hopefully, this will speed administrators' jobs as they try to plug the 
> OpenSSH hole before next week.
> 
> - --Brett Glass


Very handy, and much appreciated.

Couple of observations:

According to the steps outlined earlier to ascertain whether privsep 
is working, in my case it seems not to be. (I am of the impression 
that the path shown at the end should now show "/usr/empty"):


#lsof -p <sshd pid> |grep rtd
sshd	109	root	rtd	VDIR	13,196608	1024	2 /


Also after the install runs, it asks you make some configuration 
settings that apply to the port, but not this variation that 
overwrites the base version. (if you do make those changes, it will 
point to files in /usr/local that don't exist)

Lastly when sshd starts up in my case, it complains non-fatally:

"sshd/etc/ssh/sshd_config line 68: Deprecated option CheckMail"


Phil

(PS: I bcc'd Jeroen, or at least an address I found in that web 
directory that appears to be him :-)



--
Philip J. Koenig                                       pjklist@ekahuna.com
Electric Kahuna Systems -- Computers & Communications for the New Millenium


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020626121130543.AAA754>