Date: Mon, 22 Jan 1996 20:59:21 +0800 From: Peter Wemm <peter@jhome.DIALix.COM> To: =?KOI8-R?Q?=E1=CE=C4=D2=C5=CA_=FE=C5=D2=CE=CF=D7?= (aka Andrey A. Chernov, Black Mage) <ache@astral.msk.su> Cc: ports@freebsd.org, security@freebsd.org Subject: Re: ssh /etc config files location.. Message-ID: <199601221259.UAA04035@jhome.DIALix.COM> In-Reply-To: Your message of "Mon, 22 Jan 1996 13:13:02 %2B0300." <cFkCs0niw3@ache.dialup.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
>>I am still somewhat disturbed with the location of some rather critical
>>"per site" info from ssh in /usr/local/etc.. Specifically the ssh host
>>secret keys, and the per-site config files.
>
>>This is (IMHO) rather dangerous. If you NFS mount /usr/local, this will
>>screw you rather badly.
>
>>There are precedents against this too.. gated keeps it's config files in
>>/etc.
>
>There are precedent _for_ this, tcp_wrapper uses /usr/local/etc.
True, but in the most likely case of having /usr/local shared (ie: a small
group of machines) tcp_wrapper configs are most likely to be the same
for all the hosts anyway. However, tcp_wrapper does not need to constantly
write to any files in /usr/local/etc like sshd has been configured to do.
>Using NFS for /usr/local/bin/{security_binaries} is big risk too
>because they can be changes (like config files).
>I don't see the point to move security-related configs to /etc
>and _not_ to move security binaries from /usr/local.
If you choose to run binaries off a machine, you are choosing to trust
the security of your network and that machine. If I have two machines
sitting right next to each other with 6 feet of ethernet cable, and not
enough disk space, why shouldn't I be able to NFS share some things (like
X11R6 and /usr/local).
>So there is two normal solutions:
>1) Leave all as is in /usr/local, but not mount it over NFS
>2) Move configs & binaries _both_ off /usr/local.
>
>I disagree with proposed solution (moving configs only to /etc).
I'm not worried so much about the config files, but I am worried about the
run-time data generated by sshd that is written to the etcdir, and I'm also
concerned about the critical public and private host keys. sshd_config and
ssh_config could stay in /usr/local/etc for all I care. :-)
I'm not complaining about this from a "security" point of view, I'm
complaining about this from a "functionality" point of view.
Remember, we still support mounting all of /usr via NFS. There's no need
to make a special case for /usr/local with regard to running "security
sensative" programs. If somebody has hacked your fileserver and replaced
/usr/bin/login, it wont be long before some root process runs the fake
"login" as root. (Hell, the hacker can telnet to your machine, and telnetd
will run the hacked "login" as root right then..)
>>PS: IMHO, it was a mistake adding the BUILD_DEPENDS in wish and perl5. it
>>build's fine without them. It seems silly to require X11 to be installed
>>in order to build the port..
>
>It builds fine, but incomplete, namely:
>
>ssh-askpass needs wish
>make-ssh-known-hosts needs perl5
Exactly.. It "builds fine". It probes to see if the tools exist, and codes
in the exact pathnames if they are there, and puts in default pathnames
if they are not.
>So here is two variants:
>1) They are essential, so BUILD_DEPENDS is essential too.
>2) They don't play big role. In this case they need to be controlled
>via USE_* variables like other stuff in ssh Makefile. I.e. corresponding
>BUILD_DEPENDS must be ifdefed.
>
>Removing BUILD_DEPENDS is bad in any case.
Why? If I dont have X11 installed on the target system (and NEVER will,
because it's a dialup box), and hence will not have wish, and ssh does not
need wish and will happily build without it, why should I be prevented
from building the non-X11 port?
As far as I can see, they are used like this:
if "wish" on $PATH
WISH=`location of wish`
else
WISH=/usr/local/bin/wish
echo "Wish not installed, ssh-askpass will not work."
fi
.....
echo "#! $WISH" > ssh-askpass
cat ssh-askpass.in >> ssh-askpass
If you build ssh and later install wish, the ssh-askpass will then work.
It's a runtime dependency, not a BUILD_DEPENDS.
What I think should be done there, is that the default $PERL and $WISH
should be patched to specify the correct "default" location for FreeBSD.
Then, when the port is built, it will search the path and use the exact
location of the binaries in case they are in non-standard locations, and
will still build a functional result if it's not currently installed.
ie: it'll be #! /usr/X11R6/bin/wish line in the ssh-askpass script. If you
later want to run it, you merely need to install a wish package and
it all works.
ssh-make-known-hosts does not work correctly when probing anything
other than a FreeBSD box with ssh build from this port, because
it's looking for /etc/ssh_host_key.pub in the wrong location.
The SSH author complained to me that we were doing this.
Hmm, I just re-ran the "make" to build the port. I can see that there
are a few things that "configure" has got wrong...
It should also use the system libgmp and the zlib port rather than
building it's own....
>--
>Andrey A. Chernov : And I rest so composedly, /Now, in my bed,
>ache@astral.msk.su : That any beholder /Might fancy me dead -
>http://dt.demos.su/~ache : Might start at beholding me, /Thinking me dead.
>RELCOM Team,FreeBSD Team : E.A.Poe From "For Annie" 1849
Cheers,
-Peter
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199601221259.UAA04035>