From owner-freebsd-ports Mon Jan 22 05:00:57 1996 Return-Path: owner-ports Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id FAA09162 for ports-outgoing; Mon, 22 Jan 1996 05:00:57 -0800 (PST) Received: from jhome.DIALix.COM (root@jhome.DIALix.COM [192.203.228.69]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id FAA09139 Mon, 22 Jan 1996 05:00:46 -0800 (PST) Received: from localhost.DIALix.oz.au (peter@localhost.DIALix.oz.au [127.0.0.1]) by jhome.DIALix.COM (8.7.3/8.7.3) with SMTP id UAA04035; Mon, 22 Jan 1996 20:59:22 +0800 (WST) Message-Id: <199601221259.UAA04035@jhome.DIALix.COM> X-Authentication-Warning: jhome.DIALix.COM: Host peter@localhost.DIALix.oz.au [127.0.0.1] didn't use HELO protocol To: =?KOI8-R?Q?=E1=CE=C4=D2=C5=CA_=FE=C5=D2=CE=CF=D7?= (aka Andrey A. Chernov, Black Mage) cc: ports@freebsd.org, security@freebsd.org Subject: Re: ssh /etc config files location.. In-reply-to: Your message of "Mon, 22 Jan 1996 13:13:02 +0300." Date: Mon, 22 Jan 1996 20:59:21 +0800 From: Peter Wemm Sender: owner-ports@freebsd.org Precedence: bulk >>I am still somewhat disturbed with the location of some rather critical >>"per site" info from ssh in /usr/local/etc.. Specifically the ssh host >>secret keys, and the per-site config files. > >>This is (IMHO) rather dangerous. If you NFS mount /usr/local, this will >>screw you rather badly. > >>There are precedents against this too.. gated keeps it's config files in >>/etc. > >There are precedent _for_ this, tcp_wrapper uses /usr/local/etc. True, but in the most likely case of having /usr/local shared (ie: a small group of machines) tcp_wrapper configs are most likely to be the same for all the hosts anyway. However, tcp_wrapper does not need to constantly write to any files in /usr/local/etc like sshd has been configured to do. >Using NFS for /usr/local/bin/{security_binaries} is big risk too >because they can be changes (like config files). >I don't see the point to move security-related configs to /etc >and _not_ to move security binaries from /usr/local. If you choose to run binaries off a machine, you are choosing to trust the security of your network and that machine. If I have two machines sitting right next to each other with 6 feet of ethernet cable, and not enough disk space, why shouldn't I be able to NFS share some things (like X11R6 and /usr/local). >So there is two normal solutions: >1) Leave all as is in /usr/local, but not mount it over NFS >2) Move configs & binaries _both_ off /usr/local. > >I disagree with proposed solution (moving configs only to /etc). I'm not worried so much about the config files, but I am worried about the run-time data generated by sshd that is written to the etcdir, and I'm also concerned about the critical public and private host keys. sshd_config and ssh_config could stay in /usr/local/etc for all I care. :-) I'm not complaining about this from a "security" point of view, I'm complaining about this from a "functionality" point of view. Remember, we still support mounting all of /usr via NFS. There's no need to make a special case for /usr/local with regard to running "security sensative" programs. If somebody has hacked your fileserver and replaced /usr/bin/login, it wont be long before some root process runs the fake "login" as root. (Hell, the hacker can telnet to your machine, and telnetd will run the hacked "login" as root right then..) >>PS: IMHO, it was a mistake adding the BUILD_DEPENDS in wish and perl5. it >>build's fine without them. It seems silly to require X11 to be installed >>in order to build the port.. > >It builds fine, but incomplete, namely: > >ssh-askpass needs wish >make-ssh-known-hosts needs perl5 Exactly.. It "builds fine". It probes to see if the tools exist, and codes in the exact pathnames if they are there, and puts in default pathnames if they are not. >So here is two variants: >1) They are essential, so BUILD_DEPENDS is essential too. >2) They don't play big role. In this case they need to be controlled >via USE_* variables like other stuff in ssh Makefile. I.e. corresponding >BUILD_DEPENDS must be ifdefed. > >Removing BUILD_DEPENDS is bad in any case. Why? If I dont have X11 installed on the target system (and NEVER will, because it's a dialup box), and hence will not have wish, and ssh does not need wish and will happily build without it, why should I be prevented from building the non-X11 port? As far as I can see, they are used like this: if "wish" on $PATH WISH=`location of wish` else WISH=/usr/local/bin/wish echo "Wish not installed, ssh-askpass will not work." fi ..... echo "#! $WISH" > ssh-askpass cat ssh-askpass.in >> ssh-askpass If you build ssh and later install wish, the ssh-askpass will then work. It's a runtime dependency, not a BUILD_DEPENDS. What I think should be done there, is that the default $PERL and $WISH should be patched to specify the correct "default" location for FreeBSD. Then, when the port is built, it will search the path and use the exact location of the binaries in case they are in non-standard locations, and will still build a functional result if it's not currently installed. ie: it'll be #! /usr/X11R6/bin/wish line in the ssh-askpass script. If you later want to run it, you merely need to install a wish package and it all works. ssh-make-known-hosts does not work correctly when probing anything other than a FreeBSD box with ssh build from this port, because it's looking for /etc/ssh_host_key.pub in the wrong location. The SSH author complained to me that we were doing this. Hmm, I just re-ran the "make" to build the port. I can see that there are a few things that "configure" has got wrong... It should also use the system libgmp and the zlib port rather than building it's own.... >-- >Andrey A. Chernov : And I rest so composedly, /Now, in my bed, >ache@astral.msk.su : That any beholder /Might fancy me dead - >http://dt.demos.su/~ache : Might start at beholding me, /Thinking me dead. >RELCOM Team,FreeBSD Team : E.A.Poe From "For Annie" 1849 Cheers, -Peter