[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-security] Significant OpenSSH Vulnerability ??
- Subject: RE: [cobalt-security] Significant OpenSSH Vulnerability ??
- From: "Matthew Nuzum" <cobalt@xxxxxxxxxxxxx>
- Date: Tue, 25 Jun 2002 16:18:39 -0400
- Organization: Bearfruit.org
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
You guys who are compiling Apache:
Are you trying to get mod_auth_pam working? If so, what have you done
to do it? My attempts fail, but I can't find the correct sources for
it.
I'd love to hear how you're doing it.
Matthew Nuzum
www.bearfruit.org
cobalt@xxxxxxxxxxxxx
> -----Original Message-----
> From: cobalt-security-admin@xxxxxxxxxxxxxxx [mailto:cobalt-security-
> admin@xxxxxxxxxxxxxxx] On Behalf Of Michael Stauber
> Sent: Tuesday, June 25, 2002 4:06 PM
> To: cobalt-security@xxxxxxxxxxxxxxx
> Subject: Re: [cobalt-security] Significant OpenSSH Vulnerability ??
>
> Hi Jelmer,
>
> > I compiled OpenSSH-3.3p1 today on a Raq4i. I had to recompile
openSSL
> too,
> > because the cobalt dist had no static libcrypto installed. (see
below)
>
> I usually compile a newer openssl-0.9.6d and zlib-1.1.4 in /opt and do
not
> "make install" on 'em. Then I compile Openssh and statically link 'em
> against
> the openssl and zlib which I have in /opt
>
> That makes sure that the older Openssl on the RaQs is not overwritten
as
> that
> might cause problems with other applications which dynamically link
> against
> them.
>
> > After this and some option-setting Privege separation seems to work
> fine.
>
> Correct. That's what I did in my PKGs for the RaQ3, RaQ4, Qube3 and
XTR as
> well: compile OpenSSH *with* PrivSep and then disable it specifically
in
> sshd_config
>
> Only on the RaQ550 I leave PrivSep enabled as it seems to work fine
over
> there
> (2.4-Kernel sure helps).
>
> Here are my OpenSSH-3.3p1 compile options:
>
> ./configure --prefix=/usr \
> --sysconfdir=/etc/ssh \
> --with-ssl-dir=/opt/openssl-0.9.6d \
> --with-zlib=/opt/zlib-1.1.4 \
> --libexecdir=/usr/libexec/openssh \
> --with-ipv4-default \
> --with-pam=/lib/security \
> --with-md5-passwords \
>
--with-default-path=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin \
> --with-privsep-user=nobody \
> --with-privsep-path=/home/sites
>
> > My next project will be compiling Apache 2.X, together with
mod_perl, a
> new
> > perl (needed too), and php.
>
> I'm not sure if that's a wise idea. So far I still doubt the stability
of
> Apache 2.X a little, but by all means I'd be interested in your
progress
> on
> that if you decide to give it a go.
>
> FWIW: Compiling and running Apache-1.3.26 isn't that big of an issue
if
> you
> can afford to do without Chilisoft and Frontpage support. Aside from
that
> it's still possible to run the AdmServ.
>
>
> --
>
> Mit freundlichen Grüßen / With best regards
>
> Michael Stauber
> mstauber@xxxxxxxxxxxxxx
> Unix/Linux Support Engineer
>
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security