Re: Help : Is there a new SSH hack out there?

From: Nico Kadel-Garcia (nkadel@bellatlantic.net)
Date: 08/31/02


From: "Nico Kadel-Garcia" <nkadel@bellatlantic.net>
Date: Sat, 31 Aug 2002 02:21:18 GMT


"Jem Berkes" <jb2002-delete-this-AND-users@users.pc9.org> wrote in message
news:Xns927AB86A7A627jbdontusepc9org@205.200.16.73...
> > I have a RH 7.3 box w/ updates applied.
> >
> > [root@charlie /]# rpm -qa | grep openssh
> > openssh-clients-3.1p1-6
> > openssh-server-3.1p1-6
> > openssh-askpass-3.1p1-6
> > openssh-3.1p1-6
>
> They had better have some more recent updates than that. As per
> http://www.openssh.org/
>
> "At least one major security vulnerability exists in many deployed
> OpenSSH versions (2.3.1 to 3.3) . . . Therefore, we urge an upgrade to
> 3.4."
>
> You might want to try uninstalling all those rpms and building and
> installing openssh from the source. It's good for the soul. See
>
> http://www.openssh.com/portable.html

OK, one more time.

1: The hole in OpenSSH 3.1p1 was very specific, easily patched, and is
patched in the latest RedHat 3.1p1 RPM's and many other distributors
bundles, if not all.

2: OpenSSH 3.4p1 introduced a fascinating new feature, "PrivSep".
Unfortunately, it really wasn't ready for production and should be turned on
only in a test environment: it fails on various kernels, interferes with
compression for other systems, and generally needs another year for the code
to stabilize. RedHat has so far not released it for any of their production
OS's, with very good reason: it's just not stable yet. The very code that
introduces the PrivSep feature is itself an insufficiently tested change in
the way the system works, and may itself have undetected bugs.

Merly building RPM's for laughs is like dismantling your porch furniture.
It's generally a waste of everyone's time: instead, try working with
integrating actual features that you want, such as more appropriate
ssh*_config settings for your systems.



Relevant Pages

  • Re: PAPI in the ports
    ... any performance measuring does or must stress ... performance tests on a production server is not the very best idea. ... But to have a such feature on a production system is ... If I get a problem I can easily debug ...
    (freebsd-performance)
  • Re: Cloning Production to Dev/Test/Train/Regression
    ... Not sure if I'm after a new feature or just some scripts, ... production database to say development, training, test etc. once we ... want the entire schema or user permissions across. ... This SAN clone option might be quicker then just adjust any views / ...
    (comp.databases.informix)
  • Re: How do I get OpenSSH to require both RSA and password authorization?
    ... >>Stefan Schumacher wrote: ... >>I need a ssh that is able to require RSA AND password authorization. ... >>implementation of this feature in openssh or not. ... I know that i can get this feature from ssh.com and customers of mine ...
    (comp.security.ssh)
  • Re: How do I get OpenSSH to require both RSA and password authorization?
    ... >>Stefan Schumacher wrote: ... >>I need a ssh that is able to require RSA AND password authorization. ... >>implementation of this feature in openssh or not. ... I know that i can get this feature from ssh.com and customers of mine ...
    (comp.security.ssh)
  • Re: A ? for anyone using rechargeable batteries
    ... Here's what I did on my last gig - a 45 day feature, ... Daily 9V expenditure for Duracell Alkaline (which is what is widely ... Therefore my charge to production cost is 50% of what they would have ... These 12 batts work on, 3 are down, but i ordered another ...
    (rec.arts.movies.production.sound)