From owner-freebsd-security Wed Jun 26 5:11:42 2002 Delivered-To: freebsd-security@freebsd.org Received: from empty1.ekahuna.com (empty1.ekahuna.com [198.144.200.196]) by hub.freebsd.org (Postfix) with ESMTP id 3B6AD37B406 for ; Wed, 26 Jun 2002 05:11:37 -0700 (PDT) Received: from pc-02 (pc02.ekahuna.com [198.144.200.197]) by empty1.ekahuna.com (Post.Office MTA v3.5.3 release 223 ID# 0-0U10L2S100V35) with ESMTP id com; Wed, 26 Jun 2002 05:11:30 -0700 From: "Philip J. Koenig" Organization: The Electric Kahuna Organization To: security@FreeBSD.ORG Date: Wed, 26 Jun 2002 05:11:32 -0700 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Binary upgrade available Reply-To: pjklist@ekahuna.com Cc: Brett Glass In-reply-to: X-mailer: Pegasus Mail for Win32 (v3.12c) Message-ID: <20020626121130543.AAA754@empty1.ekahuna.com@pc02.ekahuna.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Date: Tue, 25 Jun 2002 19:44:43 -0600 > From: Brett Glass > > Thanks to Jeroen, a binary package that updates the OpenSSH in the base > FreeBSD install to 3.3p1 is available at > > http://bob.cryptohill.net/~gelderen/openssh-overwrite-base-3.3p1_1.tgz > > This package will install right over the base install in FreeBSD 4.4, > 4.5, and 4.6, and will create the necessary pseudo-user, group, and > chroot directory for privilege separation. It won't touch your existing > sshd_config, so you'll need to add > > UsePrivilegeSeparation yes > Compression yes > > to that file and remove any obsolete directives that this new version > complains about. > > Hopefully, this will speed administrators' jobs as they try to plug the > OpenSSH hole before next week. > > - --Brett Glass Very handy, and much appreciated. Couple of observations: According to the steps outlined earlier to ascertain whether privsep is working, in my case it seems not to be. (I am of the impression that the path shown at the end should now show "/usr/empty"): #lsof -p |grep rtd sshd 109 root rtd VDIR 13,196608 1024 2 / Also after the install runs, it asks you make some configuration settings that apply to the port, but not this variation that overwrites the base version. (if you do make those changes, it will point to files in /usr/local that don't exist) Lastly when sshd starts up in my case, it complains non-fatally: "sshd/etc/ssh/sshd_config line 68: Deprecated option CheckMail" Phil (PS: I bcc'd Jeroen, or at least an address I found in that web directory that appears to be him :-) -- Philip J. Koenig pjklist@ekahuna.com Electric Kahuna Systems -- Computers & Communications for the New Millenium To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message