[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Significant OpenSSH Vulnerability ??
- Subject: Re: [cobalt-security] Significant OpenSSH Vulnerability ??
- From: "Jelmer Jellema" <cobalt@xxxxxxxxxxxxxxx>
- Date: Tue, 25 Jun 2002 18:21:06 +0200
- Organization: Spin in het Web (www.spininhetweb.nl)
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hi,
From: "Michael Stauber"
> The OpenSSH mailing list and OpenSSH bugtracker mention that the
> privilege-separation support for Linux with 2.2.X kernels (and a few other
> architectures) is broken.
>
> So the only RaQ where privilege separation works is the RaQ550. I've run
into
> that issue when I built PKGs with OpenSSH-3.3p1 two days ago.
I compiled OpenSSH-3.3p1 today on a Raq4i. I had to recompile openSSL too,
because the cobalt dist had no static libcrypto installed. (see below) After
this and some option-setting Privege separation seems to work fine.
The only problem is that the linux version of my raq does not support
mmap(MAP_ANON). But this is only needed when you use SSL-compression.
Setting the option
Compression No
in /etc/ssh/sshd_config helps. That is, if you don't need compression.
Information
I compiled openSSL from openssl-0.9.6d.tar.gz with options:
./config --prefix=/usr --openssldir=/usr/share/ssl shared
no-idea -fno-strength-reduce
This overwrote the cobalt rpm (0.9.6b) version. I had to manually remove
/lib/libcrypto.* (which is now installed in /usr/lib)
I compiled openSSH from openssh-3.3p1.tar.gz with options:
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-privsep-us
er=nobody
With --with-privsep-user=nobody option there is no need to create a sshd
user, as the readme.privsep says. I had to create the /var/empty directory
according to the instructions.
The only problem is that the linux version of my raq does not support
mmap(MAP_ANON). But this is only needed when you use SSL-compression.
Setting the option
Compression No
in /etc/ssh/sshd_config helps. That is, if you don't need compression.
I think the privsep option is a bit overdone (it drops privs only to pass a
lot of stuff to the root-process?), but it seems to be necessairy because of
the upcoming bug-report.
My next project will be compiling Apache 2.X, together with mod_perl, a new
perl (needed too), and php. After this, I really cannot affort using any
cobalt packages. I don't use the adminserver any more (that is, for site
management). So, it's bye bye cobalt. Next time I just buy a big server and
fix stuff myself. That's a lot quicker and (therefor) safer.
Jelmer