On Wednesday 26 June 2002 21.11, Vincent Danen wrote: > On Wed Jun 26, 2002 at 05:40:25PM +0200, Oden Eriksson wrote: > > [...] > > > > Probably not a good idea. privsep is the official workaround to an > > > undisclosed remote root in openssh; the fix for this hole will be > > > available when the information is provided; having privsep enabled > > > with some uncomfortable side-effects for a week is a helluvalot more > > > comfortable than getting rooted. > > > > As so many times before..., I spoke too soon. Now that I've read more > > about it I realize the threat. > > =) And it's now public... expect the exploits any hour now.
Thanks, I have had the time to fix this on the servers I'm responsible for. I think this is the first time I've actually fixed a security hole at this magnitude before it was known..., amazing... > > > If you are tempted to disable privsep, I would encourage you to shut > > > off sshd entirely. If that's not possible, use privsep and, as they > > > say, grin and bear it. > > > > No, I will use it, there's currently no other option it seems. > > Not really. Except upgrading to 3.4 and then you can turn privsep off > since the vulnerability is fixed. Thanks, I read about it. But I think I'll keep privsep turned on. > > > system wide. I haven't had a chance to announce it yet, but it's > > > already on the FTP sites. It won't show in MandrakeUpdate because it > > > is a new package (and only needed for people interested in rebuilding > > > srpms). > > > > Very nice, I will check it out ASAP. > > /me still has to announce it > > > > > Oh.., I found another missing file in the openssh package (+ some > > > > minor fixes), a patch is attached. > > > > > > Thanks.. I'll take a look at it shortly. Trying to do my part in > > > helping the openssh developers iron out some bugs in the privsep code. > > > > Cool. > > Well, 3.4 looks a little better, but still problems with PAM. I hope > a 3.4.1 fixes all of the PAM issues, but until then, 3.4 is your best > bet (you can use it without privsep if you are really concerned about > expired passwords, etc.). Ok, great to know! I only wish they could fix the hanging on exit thing too..., the "shopt -s huponexit" does not allways work. Since this seems to be a bash/openssh related problem only I think I will try to use ash for a while and see if it disappears. I wonder if z shell ever hang on exit? (Andrej?) > In cooker, and building it for updates. This one will be going thru > QA so the packages won't be available today for updates. -- Regards // Oden Eriksson Deserve-IT Networks -> http://d-srv.com