[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Significant OpenSSH Vulnerability ??
- Subject: Re: [cobalt-security] Significant OpenSSH Vulnerability ??
- From: grbear@xxxxxxx
- Date: Wed, 26 Jun 2002 15:36:25 -0600
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Thank you for the helpful, and insightful, reply.
I'll have to recompile the new version this evening, I should have
waited the extra day as I just updated OpenSSL and installed OpenSSH
last night. *laughs*
Cheers!
----- Original Message -----
From: Michael Stauber <cobalt@xxxxxxxxxxxxxx>
Date: Wednesday, June 26, 2002 2:48 pm
Subject: Re: [cobalt-security] Significant OpenSSH Vulnerability ??
> > Now that 3.4p1 has been released, can we now safetly leave out the
> > --with-privsep* options?
>
> You could leave it out, but quite honestly: You don't want to.
> Privilege
> separation is the *most* useful and best features in OpenSSH ever.
>
> To quote Theo de Raadt:
>
> Basically, OpenSSH sshd(8) is something like 27000 lines of code. A
> lot of that runs as root. But when UsePrivilegeSeparation is enabled,
> the daemon splits into two parts. A part containing about 2500 lines
> of code remains as root, and the rest of the code is shoved into a
> chroot-jail without any privs. This makes the daemon less vulnerable
> to attack.
>
> So you see that the privilege separation is something which you
> really should
> use now that it also works on RaQs with 2.2.X kernels.
>
> --
>
> Mit freundlichen Grüßen / With best regards
>
> Michael Stauber
> mstauber@xxxxxxxxxxxxxx
> Unix/Linux Support Engineer
>
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
>