Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 25 Jun 2002 21:59:28 +0100
From:      Matthew Seaman <m.seaman@infracaninophile.co.uk>
To:        Scott Mitchell <scott.mitchell@mail.com>
Cc:        Christopher Schulte <schulte+freebsd@nospam.schulte.org>, Lord Raiden <raiden23@netzero.net>, Marco Radzinschi <marco@radzinschi.com>, FreeBDS-Questions <freebsd-questions@FreeBSD.ORG>
Subject:   Re: Upcoming OpenSSH vulnerability (fwd)
Message-ID:  <20020625205928.GA50230@happy-idiot-talk.infracaninophi>
In-Reply-To: <20020625205840.B381@fishballoon.dyndns.org>
References:  <5.1.1.6.2.20020624224948.02923518@pop3s.schulte.org> <20020624234646.G22328-100000@mail.radzinschi.com> <4.2.0.58.20020625134233.009992b0@pop.netzero.net> <5.1.1.6.2.20020625124040.041c50f0@pop3s.schulte.org> <20020625205840.B381@fishballoon.dyndns.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jun 25, 2002 at 08:58:40PM +0100, Scott Mitchell wrote:

> With previous ssh vulnerabilities I've been able to just patch the base
> system, by rebuilding the world or using the patch included with the
> advisory.  However, to get to 3.3 it looks like I'd need to install a port.
 
> There are two OpenSSH ports: security/openssh and security/openssh-portable
 
> What's the difference between these two ports?

security/openssh is the straight OpenBSD code, also used in NetBSD.
security/openssh-portable is the modified portable version everyone
else uses.  The main difference is that openssh-portable includes pam
support.
 
> Which one should I install to deal with this vulnerability?

Either will do: however the plan is that OpenSSH as supplied in the
base system will be upgraded to OpenSSH portable in the very near
future.  As there shouldn't be too many FreeBSD specific modifications
to the portable code, it's likely that we'll be tracking new releases
of OpenSSH rather more closely than has been the case up to now.

I'd install openssh-portable 3.3p1 now, before the full disclosure of
the vulnerability on (I think) Thursday, which should tide you over
until the base system gets 3.4p1 with the full patch.  You need to
install 3.3p1 from a ports tree cvsup'd sometime after last night to
get the separation of privilege thing, which will provide almost
complete protection from the security hole.

Remember to copy your host keys to /usr/local/etc:

cd /etc/ssh
cp ssh_host*key* /usr/local/etc/

and set:

sshd_program="usr/local/sbin/sshd"

in /etc/rc.conf to use the new daemon by default. 

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
Tel: +44 1628 476614                                  Marlow
Fax: +44 0870 0522645                                 Bucks., SL7 1TH UK

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020625205928.GA50230>