Re: Help : Is there a new SSH hack out there?

From: Nico Kadel-Garcia (nkadel@bellatlantic.net)
Date: 08/31/02


From: "Nico Kadel-Garcia" <nkadel@bellatlantic.net>
Date: Sat, 31 Aug 2002 02:21:18 GMT


"Jem Berkes" <jb2002-delete-this-AND-users@users.pc9.org> wrote in message
news:Xns927AB86A7A627jbdontusepc9org@205.200.16.73...
> > I have a RH 7.3 box w/ updates applied.
> >
> > [root@charlie /]# rpm -qa | grep openssh
> > openssh-clients-3.1p1-6
> > openssh-server-3.1p1-6
> > openssh-askpass-3.1p1-6
> > openssh-3.1p1-6
>
> They had better have some more recent updates than that. As per
> http://www.openssh.org/
>
> "At least one major security vulnerability exists in many deployed
> OpenSSH versions (2.3.1 to 3.3) . . . Therefore, we urge an upgrade to
> 3.4."
>
> You might want to try uninstalling all those rpms and building and
> installing openssh from the source. It's good for the soul. See
>
> http://www.openssh.com/portable.html

OK, one more time.

1: The hole in OpenSSH 3.1p1 was very specific, easily patched, and is
patched in the latest RedHat 3.1p1 RPM's and many other distributors
bundles, if not all.

2: OpenSSH 3.4p1 introduced a fascinating new feature, "PrivSep".
Unfortunately, it really wasn't ready for production and should be turned on
only in a test environment: it fails on various kernels, interferes with
compression for other systems, and generally needs another year for the code
to stabilize. RedHat has so far not released it for any of their production
OS's, with very good reason: it's just not stable yet. The very code that
introduces the PrivSep feature is itself an insufficiently tested change in
the way the system works, and may itself have undetected bugs.

Merly building RPM's for laughs is like dismantling your porch furniture.
It's generally a waste of everyone's time: instead, try working with
integrating actual features that you want, such as more appropriate
ssh*_config settings for your systems.