Re: OpenSSH b0rked (was RE: Problems with IPFW patch)

From: Rasputin (rasputin@FreeBSD-uk.eu.org)
Date: 01/29/01


Date: Mon, 29 Jan 2001 09:57:53 +0000
From: Rasputin <rasputin@FreeBSD-uk.eu.org>
To: freebsd-security@freebsd.org


* Matt Dillon <dillon@earth.backplane.com> [010126 21:55]:
> :I would ask, that in -STABLE at least, the fatal error be backed
> :out to a warning, at least for a few months (with sshd ignoring the
> :directive, and continuing to run), and then only move to a fatal
> :error + die.
> :
> :-aDe
>
> I second this request. It also happened when pam.conf/ssh changed.
> Only the serial console saved me from a car trip to one of my
> colocated machines. Two such changes in a row for ssh is too much.
>
> -Matt

In general I'd agree with Matt and aDe, but if a directive
affecting security has changed, I'd say it's better to be notified of it
as soon as possible.
Killing off sshd obviously makes remote admin a real problem, though;
is there another way to guarantee we'd notice ?
 

-- 
Rasputin 
Jack of All Trades :: Master of Nuns
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message