[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] Significant OpenSSH Vulnerability ??

Subject: Re: [cobalt-security] Significant OpenSSH Vulnerability ??
From: Michael Stauber <cobalt@xxxxxxxxxxxxxx>
Date: Tue, 25 Jun 2002 22:06:08 +0200
Organization: SOLARSPEED.NET
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Hi Jelmer,

> I compiled OpenSSH-3.3p1 today on a Raq4i. I had to recompile openSSL too,
> because the cobalt dist had no static libcrypto installed. (see below)

I usually compile a newer openssl-0.9.6d and zlib-1.1.4 in /opt and do not 
"make install" on 'em. Then I compile Openssh and statically link 'em against 
the openssl and zlib which I have in /opt

That makes sure that the older Openssl on the RaQs is not overwritten as that 
might cause problems with other applications which dynamically link against 
them.

> After this and some option-setting Privege separation seems to work fine.

Correct. That's what I did in my PKGs for the RaQ3, RaQ4, Qube3 and XTR as 
well: compile OpenSSH *with* PrivSep and then disable it specifically in 
sshd_config

Only on the RaQ550 I leave PrivSep enabled as it seems to work fine over there 
(2.4-Kernel sure helps).

Here are my OpenSSH-3.3p1 compile options:

./configure --prefix=/usr \
        --sysconfdir=/etc/ssh \
        --with-ssl-dir=/opt/openssl-0.9.6d \
        --with-zlib=/opt/zlib-1.1.4 \
        --libexecdir=/usr/libexec/openssh \
        --with-ipv4-default \
        --with-pam=/lib/security \
        --with-md5-passwords \
        --with-default-path=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin \
        --with-privsep-user=nobody \
        --with-privsep-path=/home/sites

> My next project will be compiling Apache 2.X, together with mod_perl, a new
> perl (needed too), and php. 

I'm not sure if that's a wise idea. So far I still doubt the stability of 
Apache 2.X a little, but by all means I'd be interested in your progress on 
that if you decide to give it a go. 

FWIW: Compiling and running Apache-1.3.26 isn't that big of an issue if you 
can afford to do without Chilisoft and Frontpage support. Aside from that 
it's still possible to run the AdmServ.


-- 

Mit freundlichen Grüßen / With best regards

Michael Stauber
mstauber@xxxxxxxxxxxxxx
Unix/Linux Support Engineer

Follow-Ups:
- RE: [cobalt-security] Significant OpenSSH Vulnerability ??
  - From: Matthew Nuzum
- Re: [cobalt-security] Significant OpenSSH Vulnerability ??
  - From: John Bailey
- Re: [cobalt-security] Recompiling SSH / Apache [was Significant OpenSSH Vulnerability ??]
  - From: Jelmer Jellema

References:
- [cobalt-security] Significant OpenSSH Vulnerability ??
  - From: Nico Schumacher
- Re: [cobalt-security] Significant OpenSSH Vulnerability ??
  - From: Michael Stauber
- Re: [cobalt-security] Significant OpenSSH Vulnerability ??
  - From: Jelmer Jellema

Prev by Date: Re: [cobalt-security] Significant OpenSSH Vulnerability ??
Next by Date: RE: [cobalt-security] Significant OpenSSH Vulnerability ??
Previous by thread: Re: [cobalt-security] Significant OpenSSH Vulnerability ??
Next by thread: RE: [cobalt-security] Significant OpenSSH Vulnerability ??

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index