Re: [suse-security] SuSE-SA:2002:023
Joerg Mayer
On Tue, Jul 02, 2002 at 11:36:13PM +0200, Christian Laursen wrote:
Is there a chance of an update which will work with both privsep and compression at some point in the near future, or will we have to wait for SuSE 8.1 to get that?
It already DOES work, iff you have a 2.4 kernel. The problem is with missing features in the shared mem implementation in 2.2 and earlier kernels.
Sorry, but on the three machines I have now tested it on, it doesn't. They are all running SuSE 8.0. One of them with the SuSE 2.4.18-4GB kernel, one with 2.4.18 and one with 2.4.19-rc1. On all of them I get the following message, when I start sshd: This platform does not support both privilege separation and compression Compression disabled -- Best regards Christian Laursen
On Tue, Jul 02, 2002 at 11:36:13PM +0200, Christian Laursen wrote:
Is there a chance of an update which will work with both privsep and compression at some point in the near future, or will we have to wait for SuSE 8.1 to get that?
It already DOES work, iff you have a 2.4 kernel. The problem is with missing features in the shared mem implementation in 2.2 and earlier kernels.
That's another problem - Olaf and Solar Designer have made a backwards compatibility patch for the older distributions. I have removed this patch from the 8.0 package earlier today (yesterday) because 8.0 doesn't come with 2.2 kernels any more.
Sorry, but on the three machines I have now tested it on, it doesn't.
They are all running SuSE 8.0. One of them with the SuSE 2.4.18-4GB kernel, one with 2.4.18 and one with 2.4.19-rc1.
On all of them I get the following message, when I start sshd:
This platform does not support both privilege separation and compression Compression disabled
It's on our wishlist as well, yes. Compression is desireable whereever your link is weaker than your CPU. The 8.0 package has another bug that needs a fix: Key generation in the start script. It's a bit of a mess...
Christian Laursen
Thanks,
Roman.
--
- -
| Roman Drahtmüller
Is there a chance of an update which will work with both privsep and compression at some point in the near future, or will we have to wait for SuSE 8.1 to get that?
It already DOES work, iff you have a 2.4 kernel. The problem is with missing features in the shared mem implementation in 2.2 and earlier kernels.
That's another problem - Olaf and Solar Designer have made a backwards compatibility patch for the older distributions. I have removed this patch from the 8.0 package earlier today (yesterday) because 8.0 doesn't come with 2.2 kernels any more.
[...]
It's on our wishlist as well, yes. Compression is desireable whereever your link is weaker than your CPU.
yes yes... Adding the patch again right now since anon mmaps might not be supported at compile-time on one or more machines in our build farm. This is messy. Expect the update package for 8.0 as soon as it has passed our testing team.
The 8.0 package has another bug that needs a fix: Key generation in the start script. It's a bit of a mess...
Fixed.
Roman.
--
- -
| Roman Drahtmüller
* Roman Drahtmueller;
Is there a chance of an update which will work with both privsep and compression at some point in the near future, or will we have to wait for SuSE 8.1 to get that?
It already DOES work, iff you have a 2.4 kernel. The problem is with missing features in the shared mem implementation in 2.2 and earlier kernels.
It's on our wishlist as well, yes. Compression is desireable whereever your link is weaker than your CPU.
yes yes... Adding the patch again right now since anon mmaps might not be supported at compile-time on one or more machines in our build farm. This is messy.
Expect the update package for 8.0 as soon as it has passed our testing team.
Are we expecting a newer package then openssh-3.4p1-4 as when I start sshd on a 8.0 machine I get the following message "This platform does not support both privilege separation and compression Compression disabled" Thanks -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
Are we expecting a newer package then openssh-3.4p1-4 as when I start sshd on a 8.0 machine I get the following message
"This platform does not support both privilege separation and compression Compression disabled"
...is on the way. The packages has been built on a 2.2 machine. :-(
Roman.
--
- -
| Roman Drahtmüller
Are we expecting a newer package then openssh-3.4p1-4 as when I start sshd on a 8.0 machine I get the following message
"This platform does not support both privilege separation and compression Compression disabled"
As I know from an announcement V3.4 should have compression enabled. The early 3.3 had no support and no full pam-support. If they did not get it working in 3.4, other features may not work as well. This would be a bad thing! If true, the V3.4 is still a beta or alpha! Even the exploit was not that discussed, were the problem is. Official posts on www.openssh.orgh say, that old version with SuSE Standard-seetings are not affected! So why update to an incompleted fix? Second thing is, why does SuSE build packages for 2.4 kernel on 2.2 machines (this was done for openssh 3.4, as I read all posts)? Philippe
On Wed, 2002-07-03 at 05:32, Philippe Vogel wrote:
As I know from an announcement V3.4 should have compression enabled. The early 3.3 had no support and no full pam-support. If they did not get it working in 3.4, other features may not work as well. This would be a bad thing!
What exactly is the problem with Openssh 3.4 and SUSE 8.0? I compiled it on my system when it come out and both UsePrivilegeSeparation and Compression worked fine. Charles -- "...Unix, MS-DOS, and Windows NT (also known as the Good, the Bad, and the Ugly)." (By Matt Welsh)
As I know from an announcement V3.4 should have compression enabled. The early 3.3 had no support and no full pam-support. If they did not get it working in 3.4, other features may not work as well. This would be a bad thing!
If true, the V3.4 is still a beta or alpha!
Even the exploit was not that discussed, were the problem is. Official posts on www.openssh.orgh say, that old version with SuSE Standard-seetings are not affected! So why update to an incompleted fix?
Second thing is, why does SuSE build packages for 2.4 kernel on 2.2 machines (this was done for openssh 3.4, as I read all posts)?
Our build farm builds packages in chrooted environments. This is one out of 4000 cases where the running kernel version matters, and, frankly, we think it's braindead. We have had another problem almost two years ago where a build script in some package remounted /proc read-only in the chroot environment. No problem for 2.2 kernels, the /proc outside the chroot is untouched. In 2.4 though, all mounted proc filesystems change options. If you want to have that kind of flexibility, you have to workaround some problems sometimes.
Philippe
Thanks,
Roman.
--
- -
| Roman Drahtmüller
* Roman Drahtmueller wrote on Wed, Jul 03, 2002 at 11:55 +0200: Well, I know it's OT, but I think it's interesting :)
Our build farm builds packages in chrooted environments. This is one out of 4000 cases where the running kernel version matters, and, frankly, we think it's braindead.
The kernel running at build time does matter? Why that?! And will the next kernel upgrade have ssh as dependency or what?
We have had another problem almost two years ago where a build script in some package remounted /proc read-only in the chroot environment. No problem for 2.2 kernels, the /proc outside the chroot is untouched. In 2.4 though, all mounted proc filesystems change options.
What does this mean? I do not understand it. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
participants (6)
-
Charles Philip Chan
-
Christian Laursen
-
Philippe Vogel
-
Roman Drahtmueller
-
Steffen Dettmer
-
Togan Muftuoglu