[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] Significant OpenSSH Vulnerability ??

Subject: Re: [cobalt-security] Significant OpenSSH Vulnerability ??
From: Michael Stauber <cobalt@xxxxxxxxxxxxxx>
Date: Wed, 26 Jun 2002 22:48:47 +0200
Organization: SOLARSPEED.NET
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

> Now that 3.4p1 has been released, can we now safetly leave out the
> --with-privsep* options?

You could leave it out, but quite honestly: You don't want to. Privilege 
separation is the *most* useful and best features in OpenSSH ever.

To quote Theo de Raadt:

Basically, OpenSSH sshd(8) is something like 27000 lines of code.  A
lot of that runs as root.  But when UsePrivilegeSeparation is enabled,
the daemon splits into two parts.  A part containing about 2500 lines
of code remains as root, and the rest of the code is shoved into a
chroot-jail without any privs.  This makes the daemon less vulnerable
to attack.

So you see that the privilege separation is something which you really should 
use now that it also works on RaQs with 2.2.X kernels.

-- 

Mit freundlichen Grüßen / With best regards

Michael Stauber
mstauber@xxxxxxxxxxxxxx
Unix/Linux Support Engineer

Follow-Ups:
- Re: [cobalt-security] Significant OpenSSH Vulnerability ??
  - From: Todd W

References:
- Re: [cobalt-security] Significant OpenSSH Vulnerability ??
  - From: grbear

Prev by Date: Re: [cobalt-security] Significant OpenSSH Vulnerability ??
Next by Date: Re: [cobalt-security] Significant OpenSSH Vulnerability ??
Previous by thread: Re: [cobalt-security] Significant OpenSSH Vulnerability ??
Next by thread: Re: [cobalt-security] Significant OpenSSH Vulnerability ??

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index