[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Significant OpenSSH Vulnerability ??
- Subject: Re: [cobalt-security] Significant OpenSSH Vulnerability ??
- From: Michael Stauber <cobalt@xxxxxxxxxxxxxx>
- Date: Tue, 25 Jun 2002 22:06:08 +0200
- Organization: SOLARSPEED.NET
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hi Jelmer,
> I compiled OpenSSH-3.3p1 today on a Raq4i. I had to recompile openSSL too,
> because the cobalt dist had no static libcrypto installed. (see below)
I usually compile a newer openssl-0.9.6d and zlib-1.1.4 in /opt and do not
"make install" on 'em. Then I compile Openssh and statically link 'em against
the openssl and zlib which I have in /opt
That makes sure that the older Openssl on the RaQs is not overwritten as that
might cause problems with other applications which dynamically link against
them.
> After this and some option-setting Privege separation seems to work fine.
Correct. That's what I did in my PKGs for the RaQ3, RaQ4, Qube3 and XTR as
well: compile OpenSSH *with* PrivSep and then disable it specifically in
sshd_config
Only on the RaQ550 I leave PrivSep enabled as it seems to work fine over there
(2.4-Kernel sure helps).
Here are my OpenSSH-3.3p1 compile options:
./configure --prefix=/usr \
--sysconfdir=/etc/ssh \
--with-ssl-dir=/opt/openssl-0.9.6d \
--with-zlib=/opt/zlib-1.1.4 \
--libexecdir=/usr/libexec/openssh \
--with-ipv4-default \
--with-pam=/lib/security \
--with-md5-passwords \
--with-default-path=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin \
--with-privsep-user=nobody \
--with-privsep-path=/home/sites
> My next project will be compiling Apache 2.X, together with mod_perl, a new
> perl (needed too), and php.
I'm not sure if that's a wise idea. So far I still doubt the stability of
Apache 2.X a little, but by all means I'd be interested in your progress on
that if you decide to give it a go.
FWIW: Compiling and running Apache-1.3.26 isn't that big of an issue if you
can afford to do without Chilisoft and Frontpage support. Aside from that
it's still possible to run the AdmServ.
--
Mit freundlichen Grüßen / With best regards
Michael Stauber
mstauber@xxxxxxxxxxxxxx
Unix/Linux Support Engineer