RE: [Leaf-devel] OpenSSH security
To sum up many posts and hopefully wrap up this thread... I've posted a new sshd.lrp at www.nothome.org:8000 The only change is a new /usr/sbin/add-sshd-user script, in response to Charles' comment that it would be nice to have a script to add the sshd user. The script isn't pretty, and it is fairly large (4K), but hopefully it covers 80% of the cases of creating the sshd user and group. Yes, it normally takes 4 lines of script to do that, but this script "tries real hard" (TM) to: * (by default) add sshd UID 22, GID 22 to the password and group files * If the GRP and GID variables at the top of the script are changed, it will use those (perhaps "nogroup", as Michael D. Schleif suggested) * Use a different UID, if desired for some reason * Add the sshd user only if it does not already exist * Add the sshd user with a different UID if the requested UID is already in use * Add the defined group only if it does not exist * Add the defined group with a different GID if the requested GID is already in use * Insert the user and group into passwd & group in numerical order, not "at the end of the file" * Reset the permissions & ownership on the new passwd,group, and shadow files even if your group file is broken * Allow you to run all of this on a test directory first (see PTH variable, at top) --- The script is *not* listed in the package list, and is specifically listed in the exclude.list, so that it won't get backed up when sshd.lrp is backed up. The idea is to install sshd, run add-sshd-user as root, backup etc, backup sshd, and never think about this again. For those interested in the script only, I've placed it at the web site mentioned above as a text file (add-sshd-user.txt) Anyone is welcome to do anything they want with this script. - George Georgalis asked if it was possible to compile sshd without zlib (which makes sense, since compression must be turned off to use privilege separation). As far as I was able to tell, zlib is required to compile sshd. But the space requirements aren't that bad, since sshd and ssh are both dynamically linked against zlib. Finally, Greg Morgan pointed out that he hadn't seen many port 22 probes recently ... dshield.org doesn't list port 22 very high either. Such is life; at least we were prepared. :-) Thank you all for your comments and suggestions. --- This sf.net email is sponsored by:ThinkGeek Bringing you mounds of caffeinated joy. http://thinkgeek.com/sf ___ Leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [Leaf-devel] OpenSSH security
Interesting observations in the logs. When the SSH zlib problem came up, I had lots of port 22 entries in the logs for awhile. Until Monday I had not been nmaped port scanned in a long long time. It appears like the hackers like to use class C range scans on one port. I have two dachstein firewalls on @cox network. I see the same ip addresses hitting on port, say, 21 about one hour and a half a part from each other. Both firewalls use the same time server to keep the clocks maintained. When the privilege escalation OpenSSH problem was announced there were no new 22 port scans noted. In fact I had 11 port scans for port 21 over two days on July 1 and 2. That was out of 16 logged. July 3 is a pre holiday day and the Deny messages are light. I finally have 4 port 22 denies, and 2 port 21 deny out of 8 denies logged. Greg Morgan --- This sf.net email is sponsored by:ThinkGeek Caffeinated soap. No kidding. http://thinkgeek.com/sf ___ Leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [Leaf-devel] OpenSSH security
Nathan Angelacos wrote: > > >I'm curious about /etc/group modification? > > > >I've upgraded two (2) potato's and two (2) woody's. Yes, there is a > >new user in passwd/shadow; but, I do not have any new group for > >sshd. > > > >Yes, I have seen the instructions for installing manually; but, I > >cannot find a reason for the special group. > > > >What do you think? > > Good question. I wondered the same thing, figured "'cause Theo said > so.." and dismissed it. But after you asked, I checked the source... > :-) > > sshd.c in privsep_preauth_child does a setgid() from the sshd's > primary group (in passwd) when setting up the chroot jail. The > manual instructions make sure that the uid:gid is sshd:sshd. > So I guess "'cause Theo said so" works. :-) > > I'm curious though, on your debian systems, what is the gid for the > sshd user? The sshd.c source seems to indicate that sshd will fail > if the group doesn't exist. OK, here is the debian position: [a] # grep ssh /etc/passwd /etc/passwd:sshd:x:103:65534::/home/sshd:/bin/false [b] # grep 65534 /etc/group nogroup:x:65534: [c] According to the openssh sshd.8 manpage: /var/empty chroot(2) directory used by sshd during privilege separation in the pre-authentication phase. The directory should not contain any files and must be owned by root and not group or world- writable. [d] debian changed this at compile time to: /var/run/sshd [e] So, there is *NO* requirement for group sshd. [f] There is a requirement for an existing directory to which to chroot -- he default is /var/empty . Therefore, in my ssh v3.4p1 distribution for LEAF, I adding the sshd user and using the debian nogroup group. Regardless which way to go, an *empty* /var/empty directory *MUST* exist! hth -- Best Regards, mds mds resource 888.250.3987 Dare to fix things before they break . . . Our capacity for understanding is inversely proportional to how much we think we know. The more I know, the more I know I don't know . . . --- This sf.net email is sponsored by:ThinkGeek No, I will not fix your computer. http://thinkgeek.com/sf ___ Leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [Leaf-devel] OpenSSH security
Nathan Angelacos wrote: > > On 1 Jul 2002 at 22:38, Greg Morgan wrote: > > Long answer: According to > > http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=102495293705094&w2 > > Privilege separation takes ~24500 lines of code and puts it in a chroot > jail, leaving only ~2500 lines of code running as root. I believe the > thinking here is that privilege separation doesn't fix this problem > specifically; it makes it less likely for there to be privilege escalation > in the future. Privilege separation was evidently available in earlier > versions of openSSH, the difference is that it is now the default. Thanks. Your paragraph provides some additional information I had not received. It appears to be a simple choice based on the above information. chroot is better. Greg Morgan --- This sf.net email is sponsored by:ThinkGeek No, I will not fix your computer. http://thinkgeek.com/sf ___ Leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [Leaf-devel] OpenSSH security
Nathan Angelacos wrote: > > >I'm curious about /etc/group modification? > > > >I've upgraded two (2) potato's and two (2) woody's. Yes, there is a > >new user in passwd/shadow; but, I do not have any new group for > >sshd. > > > >Yes, I have seen the instructions for installing manually; but, I > >cannot find a reason for the special group. > > > >What do you think? > > Good question. I wondered the same thing, figured "'cause Theo said > so.." and dismissed it. But after you asked, I checked the source... > :-) > > sshd.c in privsep_preauth_child does a setgid() from the sshd's > primary group (in passwd) when setting up the chroot jail. The > manual instructions make sure that the uid:gid is sshd:sshd. > So I guess "'cause Theo said so" works. :-) > > I'm curious though, on your debian systems, what is the gid for the > sshd user? The sshd.c source seems to indicate that sshd will fail > if the group doesn't exist. Precisely my point! sshd is working without incident on all of these boxen. I thought the same as you, that this should fail of give me some kind of error log; but, I haven't found anything wrong and I've been using it for nearly a week now ;< How can I check which gid it's using, since once it's successfully logged in it resorts to root? What do you think? -- Best Regards, mds mds resource 888.250.3987 Dare to fix things before they break . . . Our capacity for understanding is inversely proportional to how much we think we know. The more I know, the more I know I don't know . . . --- This sf.net email is sponsored by:ThinkGeek No, I will not fix your computer. http://thinkgeek.com/sf ___ Leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [Leaf-devel] OpenSSH security
>I'm curious about /etc/group modification? > >I've upgraded two (2) potato's and two (2) woody's. Yes, there is a >new user in passwd/shadow; but, I do not have any new group for >sshd. > >Yes, I have seen the instructions for installing manually; but, I >cannot find a reason for the special group. > >What do you think? Good question. I wondered the same thing, figured "'cause Theo said so.." and dismissed it. But after you asked, I checked the source... :-) sshd.c in privsep_preauth_child does a setgid() from the sshd's primary group (in passwd) when setting up the chroot jail. The manual instructions make sure that the uid:gid is sshd:sshd. So I guess "'cause Theo said so" works. :-) I'm curious though, on your debian systems, what is the gid for the sshd user? The sshd.c source seems to indicate that sshd will fail if the group doesn't exist. --- This sf.net email is sponsored by:ThinkGeek No, I will not fix your computer. http://thinkgeek.com/sf ___ Leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [Leaf-devel] OpenSSH security
Jacques Nilo wrote: > [ snip ] > > At this point, a default compile of OpenSSH will use privilege separation > > with the sshd user. For new LEAF installations/releases, do we want to > > deviate from the (new) OpenSSH standard, or accomodate it and move on? > > > I have a clear position on this: we should stick to the new default openssh > config which implies privilege separation an therefore the creation of a sshd > user and group (Debian does this, Mandrake as well) > I will update Bering accordingly for the final release and update my openssh > package suite accordingly. I'm curious about /etc/group modification? I've upgraded two (2) potato's and two (2) woody's. Yes, there is a new user in passwd/shadow; but, I do not have any new group for sshd. Yes, I have seen the instructions for installing manually; but, I cannot find a reason for the special group. What do you think? -- Best Regards, mds mds resource 888.250.3987 Dare to fix things before they break . . . Our capacity for understanding is inversely proportional to how much we think we know. The more I know, the more I know I don't know . . . --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [Leaf-devel] OpenSSH security
Le Mardi 2 Juillet 2002 18:20, Nathan Angelacos a écrit : > On 1 Jul 2002 at 22:38, Greg Morgan wrote: > >I believe you need to correct your web site. It says that you changed > >the location of ssh_config in the packages. I believe there are two > >configuration files with one character different, a d. > >ssh.lrp contains /etc/ssh/ssh_config. > >sshd.lrp contains /etc/ssh/sshd_config. > > Thanks for your comments, Greg. > Yes, there are two configuration files. Jacques' packaging has: > > sshd.lrp containing > /etc/ssh/ssh_config > /etc/ssh/sshd_config > > ssh.lrp does not contain any /etc/ssh/*_config files > > These packages move only the /etc/ssh/ssh_config to ssh.lrp, and leave > /etc/ssh/sshd_config in sshd.lrp > > My thinking was the config file should go with the program. I'm willing to > have my thinking corrected, though. (Or is it just that the web page can > have a better explanation?) > There was an explanation at the time I created the packages but honnestly I just cannot remember it :-) > Brief answer: > Yes, privilege separation is extra protection (against future attacks). > No, its not necessary to go through creating a new user if you disable > privilege separation in sshd_config. > > To answer your question "is it necessary to go through this?" for deployed > LEAF boxes, I'd probably be inclined to install the 3.4 OpenSSH, disable > privilege separation in sshd_config, and go on. That should be a simple > upgrade. > > The question (for me) is what about new LEAF installations and what about > the future? One thing I really like about Bering is that Jacques is > trying to stay close to "standard." > > The options that I see for ssh*.lrp are: > > - compile as default, create sshd user and group > - compile with priviledge separation, but use "nobody" for chroot jail > - compile without priviledge separation enabled > > > At this point, a default compile of OpenSSH will use privilege separation > with the sshd user. For new LEAF installations/releases, do we want to > deviate from the (new) OpenSSH standard, or accomodate it and move on? > I have a clear position on this: we should stick to the new default openssh config which implies privilege separation an therefore the creation of a sshd user and group (Debian does this, Mandrake as well) I will update Bering accordingly for the final release and update my openssh package suite accordingly. Jacques --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [Leaf-devel] OpenSSH security
> At this point, a default compile of OpenSSH will use privilege separation > with the sshd user. For new LEAF installations/releases, do we want to > deviate from the (new) OpenSSH standard, or accomodate it and move on? > > Either answer is fine with me, as long as there is some sort of informed > consensus. I vote for running with privilege sepration, and doing whatever is required for existing systems (ie adding an ssh user, and maybe including a script to do this for typical LEAF users who don't want to do it manually). The ssh user should be added to new distributions. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [Leaf-devel] OpenSSH security
On 1 Jul 2002 at 22:38, Greg Morgan wrote: >I believe you need to correct your web site. It says that you changed >the location of ssh_config in the packages. I believe there are two >configuration files with one character different, a d. >ssh.lrp contains /etc/ssh/ssh_config. >sshd.lrp contains /etc/ssh/sshd_config. Thanks for your comments, Greg. Yes, there are two configuration files. Jacques' packaging has: sshd.lrp containing /etc/ssh/ssh_config /etc/ssh/sshd_config ssh.lrp does not contain any /etc/ssh/*_config files These packages move only the /etc/ssh/ssh_config to ssh.lrp, and leave /etc/ssh/sshd_config in sshd.lrp My thinking was the config file should go with the program. I'm willing to have my thinking corrected, though. (Or is it just that the web page can have a better explanation?) >I was reading http://www.openssh.com/txt/preauth.adv under "1. Versions >affected: >... >OpenSSH 3.4 and later are not affected." > > >If the package you compiled fixes this problem and numerous others, >then is the idea here just to add additional protection by disabling >privileges escalation? Security safeguard on another safeguard may be a >good thing. But if privilege separation is not required in 3.4, is it >necessary to go through this? > >I am just trying to sort the issues out here. Any thoughts. Well, that's two of us trying to sort out the issues. :-) Brief answer: Yes, privilege separation is extra protection (against future attacks). No, its not necessary to go through creating a new user if you disable privilege separation in sshd_config. Long answer: According to http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=102495293705094&w2 Privilege separation takes ~24500 lines of code and puts it in a chroot jail, leaving only ~2500 lines of code running as root. I believe the thinking here is that privilege separation doesn't fix this problem specifically; it makes it less likely for there to be privilege escalation in the future. Privilege separation was evidently available in earlier versions of openSSH, the difference is that it is now the default. To answer your question "is it necessary to go through this?" for deployed LEAF boxes, I'd probably be inclined to install the 3.4 OpenSSH, disable privilege separation in sshd_config, and go on. That should be a simple upgrade. The question (for me) is what about new LEAF installations and what about the future? One thing I really like about Bering is that Jacques is trying to stay close to "standard." The options that I see for ssh*.lrp are: - compile as default, create sshd user and group - compile with priviledge separation, but use "nobody" for chroot jail - compile without priviledge separation enabled At this point, a default compile of OpenSSH will use privilege separation with the sshd user. For new LEAF installations/releases, do we want to deviate from the (new) OpenSSH standard, or accomodate it and move on? Either answer is fine with me, as long as there is some sort of informed consensus. >Redhat says they are not vulnerable. >I did the did this in sshd_config file >and was denied service after I applied the Redhat patch. Funny. One of our sites changed his firewall rules to completely block port 22 traffic. He wasn't vulnerable either. :-) Thanks again! Nathan --- --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [Leaf-devel] OpenSSH security
"Nathan Angelacos" <[EMAIL PROTECTED]> wrote: > I've compiled new openSSH 3.4p1 lrps based on J. Nilo's packages. > Since they are larger than the patch manager limit, > they are available for download at http://www.nothome.org:8000/ I believe you need to correct your web site. It says that you changed the location of ssh_config in the packages. I believe there are two configuration files with one character different, a d. ssh.lrp contains /etc/ssh/ssh_config. sshd.lrp contains /etc/ssh/sshd_config. > I'll leave the page up until next Friday (5 Jul 2002.) > > The md5 sums for the packages are: > > 92395eae01a299a4c5412513482c90b0 sftp.lrp > 0c9e5948681f5e20ef632e380d4928d1 sshd.lrp > 0c5124438f4b9a0faca1d37b9f7b8846 sshkey.lrp > 2087bea66f66ac5f2922551e26723b01 ssh.lrp > > Compilation notes are in sshd.lrp, in /var/lib/lrpkg/sshd.notes > > I would still be interested in knowing whether sshd should be a standard > LEAF user, or if you all think not using priv separation is ok, or if a > standard user (like nobody) should be used. > I was reading http://www.openssh.com/txt/preauth.adv under "1. Versions affected: ... OpenSSH 3.4 and later are not affected." They say this is the fourh revision to the document. If the package you compiled fixes this problem and numerous others, then is the idea here just to add additional protection by disabling privileges escalation? Security safeguard on another safeguard may be a good thing. But if privilege separation is not required in 3.4, is it necessary to go through this? I am just trying to sort the issues out here. Any thoughts. Redhat says they are not vulnerable. http://rhn.redhat.com/errata/RHSA-2002-127.html I did the did this in sshd_config file ChallengeResponseAuthentication no and was denied service after I applied the Redhat patch. Yes and it was a remote server too. snicker. The server has logins disabled and required ssh key access. Greg Morgan --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel
RE: [Leaf-devel] OpenSSH security
I've compiled new openSSH 3.4p1 lrps based on J. Nilo's packages. Since they are larger than the patch manager limit, they are available for download at http://www.nothome.org:8000/ I'll leave the page up until next Friday (5 Jul 2002.) The md5 sums for the packages are: 92395eae01a299a4c5412513482c90b0 sftp.lrp 0c9e5948681f5e20ef632e380d4928d1 sshd.lrp 0c5124438f4b9a0faca1d37b9f7b8846 sshkey.lrp 2087bea66f66ac5f2922551e26723b01 ssh.lrp Compilation notes are in sshd.lrp, in /var/lib/lrpkg/sshd.notes I would still be interested in knowing whether sshd should be a standard LEAF user, or if you all think not using priv separation is ok, or if a standard user (like nobody) should be used. --- --- Sponsored by: ThinkGeek at http://www.ThinkGeek.com/ ___ Leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [Leaf-devel] OpenSSH security
On Wed, 2002-06-26 at 17:59, Nathan Angelacos wrote: > > >On Wed, 2002-06-26 at 08:08, Mike Noyes wrote: > >The vulnerability details are now public. > > Thanks for the heads-up, Mike. Unfortunately I only subscribe to the > digest, so I got your notice after my post. > > Needless to say, I'll be putting together a brand-new *3.4* openSSH lrp > tomorrow, if anyone is interested. Nathan, Please consider contributing your new package to us in the SourceForge patch manager. Thanks. LEAF Contributions http://leaf-project.org/mod.php?mod=userpage&menu=16&page_id=22 -- Mike Noyes <[EMAIL PROTECTED]> http://sourceforge.net/users/mhnoyes/ http://leaf-project.org/ --- This sf.net email is sponsored by: Jabber Inc. Don't miss the IM event of the season | Special offer for OSDN members! JabberConf 2002, Aug. 20-22, Keystone, CO http://www.jabberconf.com/osdn ___ Leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [Leaf-devel] OpenSSH security
>On Wed, 2002-06-26 at 08:08, Mike Noyes wrote: >The vulnerability details are now public. Thanks for the heads-up, Mike. Unfortunately I only subscribe to the digest, so I got your notice after my post. Needless to say, I'll be putting together a brand-new *3.4* openSSH lrp tomorrow, if anyone is interested. Anyway, thanks again, Mike. I really appreciate your efforts. --- This sf.net email is sponsored by: Jabber Inc. Don't miss the IM event of the season | Special offer for OSDN members! JabberConf 2002, Aug. 20-22, Keystone, CO http://www.jabberconf.com/osdn ___ Leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [Leaf-devel] OpenSSH security
On Wed, 2002-06-26 at 08:08, Mike Noyes wrote: > On Wed, 2002-06-26 at 07:05, David Douthitt wrote: > > Sounds like the bug isn't "fixed" but a work-around exists... > > David, > You're correct. There are a list of recent security advisories on this > at: > http://www.linuxsecurity.com/advisories/index.html > > NetSecurity has an in-depth article on this vulnerability. > http://www.net-security.org/article.php?id=138 Everyone, The vulnerability details are now public. http://online.securityfocus.com/archive/1/278818/2002-06-23/2002-06-29/0 -- Mike Noyes <[EMAIL PROTECTED]> http://sourceforge.net/users/mhnoyes/ http://leaf-project.org/ --- This sf.net email is sponsored by: Jabber Inc. Don't miss the IM event of the season | Special offer for OSDN members! JabberConf 2002, Aug. 20-22, Keystone, CO http://www.jabberconf.com/osdn ___ Leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [Leaf-devel] OpenSSH security
On Wed, 2002-06-26 at 07:05, David Douthitt wrote: > On Mon, Jun 24, 2002 at 03:14:39PM -0700, Mike Noyes wrote: > > > There is a problem with OpenSSH. > > > > [Fwd: [SECURITY] [DSA-134-1] OpenSSH remote vulnerability] > > Theo de Raadt announced that the OpenBSD team is working with ISS > > on a remote exploit for OpenSSH (a free implementation of the > > Secure SHell protocol). They are refusing to provide any details on > > the vulnerability but instead are advising everyone to upgrade to > > the latest release, version 3.3. > > Sounds like the bug isn't "fixed" but a work-around exists... David, You're correct. There are a list of recent security advisories on this at: http://www.linuxsecurity.com/advisories/index.html NetSecurity has an in-depth article on this vulnerability. http://www.net-security.org/article.php?id=138 -- Mike Noyes <[EMAIL PROTECTED]> http://sourceforge.net/users/mhnoyes/ http://leaf-project.org/ --- This sf.net email is sponsored by: Jabber Inc. Don't miss the IM event of the season | Special offer for OSDN members! JabberConf 2002, Aug. 20-22, Keystone, CO http://www.jabberconf.com/osdn ___ Leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [Leaf-devel] OpenSSH security
On Mon, Jun 24, 2002 at 03:14:39PM -0700, Mike Noyes wrote: > There is a problem with OpenSSH. > > [Fwd: [SECURITY] [DSA-134-1] OpenSSH remote vulnerability] > Theo de Raadt announced that the OpenBSD team is working with ISS > on a remote exploit for OpenSSH (a free implementation of the > Secure SHell protocol). They are refusing to provide any details on > the vulnerability but instead are advising everyone to upgrade to > the latest release, version 3.3. Sounds like the bug isn't "fixed" but a work-around exists... Here is how the Mandrake Security Release reads: Mandrake Linux Security Update Advisory Package name: openssh Advisory ID:MDKSA-2002:040 Date: June 24th, 2002 Affected versions: 7.1, 7.2, 8.0, 8.1, 8.2, Corporate Server 1.0.1, Single Network Firewall 7.2 Problem Description: Details of an upcoming OpenSSH vulnerability will be published early next week. According to the OpenSSH team, this remote vulnerability cannot be exploited when sshd is running with privilege separation. The priv separation code is significantly improved in version 3.3 of OpenSSH which was released on June 21st. Unfortunately, there are some known problems with this release; compression does not work on all operating systems and the PAM support has not been completed. The OpenSSH team encourages everyone to upgrade to version 3.3 immediately and enable privilege separation. This can be enabled by placing in your /etc/ssh/sshd_config file the following: UsePrivilegeSeparation yes The vulnerability that will be disclosed next week is not fixed in version 3.3 of OpenSSH, however with priv separation enabled, you will not be vulnerable to it. This is because privilege separation uses a seperate non-privileged process to handle most of the work, meaning that any vulnerability in this part of OpenSSH will never lead to a root compromise. Only access as the non-privileged user restricted in chroot would be available. MandrakeSoft encourages all of our users to upgrade to the updated packages immediately. This update creates a new user and group on the system named sshd that is used to run the non-privileged processes. References: http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=102495293705094&w=2 --- This sf.net email is sponsored by: Jabber Inc. Don't miss the IM event of the season | Special offer for OSDN members! JabConf 2002, Aug. 20-22, Keystone, CO http://www.jabberconf.com/osdn ___ Leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel
[Leaf-devel] OpenSSH security
Everyone, There is a problem with OpenSSH. [Fwd: [SECURITY] [DSA-134-1] OpenSSH remote vulnerability] Theo de Raadt announced that the OpenBSD team is working with ISS on a remote exploit for OpenSSH (a free implementation of the Secure SHell protocol). They are refusing to provide any details on the vulnerability but instead are advising everyone to upgrade to the latest release, version 3.3. -- Mike Noyes <[EMAIL PROTECTED]> http://sourceforge.net/users/mhnoyes/ http://leaf-project.org/ --- Sponsored by: ThinkGeek at http://www.ThinkGeek.com/ ___ Leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel