Hi Roman,

I know this would count as a last minute request... but can you folks package an SSH rpm (OpenSSH preferrably) that is compiled with libwrap? Being the lazy person I am, it would be much easier that having to unpack, rebuild and repack the module that is available on the website. :-)

We'll do. It was a bug a while ago that the package wasn't compiled against libwrap.a.

Thanks, Herman

Roman. -- - - | Roman Drahtmüller "Caution: Cape does not | SuSE GmbH - Security enable user to fly." | Nürnberg, Germany (Batman Costume warning label) | - -

Did you READ the part about my being lazy? Yes, I could do it myself, and have for the version that weren't compiled using libwrap. I was simply asking about future RPM, and whether this could be done. Thanks to Roman Drahtmueller for the positive response. - Herman On Mon, 12 Feb 2001, RoMaN SoFt / LLFB!! wrote: ->>On Mon, 12 Feb 2001 07:06:06 -0800, you wrote: ->> ->>>I know this would count as a last minute request... but can you folks package ->>>an SSH rpm (OpenSSH preferrably) that is compiled with libwrap? Being the ->> ->> Why don't you compile it by yourself? ->> ->> I've downloaded "openssh-2.3.0p1.tar.gz" and compiled as follows: ->> ->># ./configure --prefix=/usr/local/openssh --with-tcp-wrappers ->>--with-ipv4-default ->># make ->># make install ->> ->> This builts all ssh files in /usr/local/openssh (I don't like mix ->>with SuSE binaries). Then I've modified /etc/rc.d/sshd to use the ->>files from this directory. You may include at start tag: ->>startproc /usr/local/openssh/bin/sshd -f ->>/usr/local/openssh/etc/sshd_config ->> ->> It isn't difficult :-P ->> ->> Having the source you can apply instantly further patches, etc. ->>Fastest way for always being updated without waiting for .rpm's ->>releases! :) ->> ->>=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ->> ** RoMaN SoFt / LLFB ** ->> roman@madrid.com ->> http://pagina.de/romansoft ->>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ->> ->>--------------------------------------------------------------------- ->>To unsubscribe, e-mail: suse-security-unsubscribe@suse.com ->>For additional commands, e-mail: suse-security-help@suse.com ->>

Ahhh... cool.. Thanks Bob. - H On Mon, 12 Feb 2001, Bob Vickers wrote: ->>Herman, ->> ->>The last version of openssh (openssh-2.3.0p1-0) was built with libwrap as ->>far as I know, but this version was never properly announced. There was a ->>message to this list but neither an alert nor the update was put on ->>the web site. ->> ->>Bob ->> ->>On Mon, 12 Feb 2001, Herman Knief wrote: ->> ->>> Hi Roman, ->>> ->>> I know this would count as a last minute request... but can you folks package ->>> an SSH rpm (OpenSSH preferrably) that is compiled with libwrap? Being the ->>> lazy person I am, it would be much easier that having to unpack, rebuild and ->>> repack the module that is available on the website. :-) ->>> ->>> Thanks, ->>> Herman ->>> ->>> Roman Drahtmueller wrote: ->>> ->>> > Hi, ->>> > ->>> > just a brief heads-up: There will be updates for ssh (and probably also ->>> > the kernel) later today to address the latest security problems with ssh. ->>> > Stay tuned. ->>> > ->>> > Roman. ->>> > -- ->>> > - - ->>> > | Roman Drahtm�ller // "Caution: Cape does | ->>> > SuSE GmbH - Security Phone: // not enable user to fly." ->>> > | N�rnberg, Germany +49-911-740530 // (Batman Costume warning label) | ->>> > - - ->>> > ->>> > --------------------------------------------------------------------- ->>> > To unsubscribe, e-mail: suse-security-unsubscribe@suse.com ->>> > For additional commands, e-mail: suse-security-help@suse.com ->>> ->>> ->>> --------------------------------------------------------------------- ->>> To unsubscribe, e-mail: suse-security-unsubscribe@suse.com ->>> For additional commands, e-mail: suse-security-help@suse.com ->>> ->>> ->> ->>============================================================== ->>Bob Vickers R.Vickers@cs.rhul.ac.uk ->>Dept of Computer Science, Royal Holloway, University of London ->>WWW: http://www.cs.rhul.ac.uk/home/bobv ->>Phone: +44 1784 443691 ->> ->> ->>--------------------------------------------------------------------- ->>To unsubscribe, e-mail: suse-security-unsubscribe@suse.com ->>For additional commands, e-mail: suse-security-help@suse.com ->>

...

I'm still missing the Announcement here for:

- SSH Updates for the CERT Advisories dated 09-12 Feb 2001

Due to a communication problem we ran into a licensing problem (the ssh versions after 1.2.27 have an entirely different license which is not acceptable for a Linux distribution). I'll have the patches applied myself if the usual way doesn't work out until 1600.

Why not drop ssh and use OpenSSH?

...

- Kernel-Updates for the ptrace() and sysctl() Bug-Announcements

The fix for the ptrace() race was incomplete. It is non-trivial to handle. Be sure we're working on it.

Funny that, kernel calls being tricky and all to fix ;)

...

Joerg Henner.

Roman.

Kurt Seifried, seifried@securityportal.com Securityportal - your focal point for security on the 'net

...

Why not drop ssh and use OpenSSH?

Great idea - just sitting hier at a customer, and saw that on SuSE 6.2 only the 1.2.27-18 is installed :(

Bad idea. 1.2.27 has been the only secure shell implementation (along with the newer versions) that was capable of running a backup through an ssh connection. It's a matter of stability... We'll have to focus on openssh, though. Maybe, in future releases of the SuSE-distribution, there will be the official ssh version from f-secure included (it almost was in 7.1, but I didn't get the written agreement from the finland folks).

Joerg Henner.

Roman. -- - - | Roman Drahtmüller "Caution: Cape does not | SuSE GmbH - Security enable user to fly." | Nürnberg, Germany (Batman Costume warning label) | - -

Bad idea. 1.2.27 has been the only secure shell implementation (along with the newer versions) that was capable of running a backup through an ssh connection. It's a matter of stability...

We'll have to focus on openssh, though. Maybe, in future releases of the SuSE-distribution, there will be the official ssh version from f-secure included (it almost was in 7.1, but I didn't get the written agreement from the finland folks).

NO! BAD! Their (ssh.com) license is extremely restrictive despite the "free use" (limited) for Linux users. Use OpenSSH. It is free. The rest ARE NOT.

Roman.

-Kurt

NO! BAD! Their (ssh.com) license is extremely restrictive despite the "free use" (limited) for Linux users. Use OpenSSH. It is free. The rest ARE NOT.

I agree completely with this. I see no reason to run a restrictive commercial program on a OS that is Free Software especially when there is a Free/Open alternative that works really well. I'm using OpenSSH 2.3.0p1. It works really well for me. I've experienced no problems whatsoever. Earlier releases of OpenSSH did have a tendence to crash but things change rapidly especially in open source software. I'd like to see a response to Roman's comment about OpenSSH lacking functionality and stability. Frankly, SSH1 worries me. It seems inherently insecure and is featured on Bugtraq about as often as wuftpd - Exploit of the Month Club. ;) M

I agree completely with this. I see no reason to run a restrictive commercial program on a OS that is Free Software especially when there is a Free/Open alternative that works really well.

Good point.

I'm using OpenSSH 2.3.0p1. It works really well for me. I've experienced no problems whatsoever. Earlier releases of OpenSSH did have a tendence to crash but things change rapidly especially in open source software.

I'd like to see a response to Roman's comment about OpenSSH lacking functionality and stability.

I think I will have to give it another try. I was running backups (tar through an ssh stdio connection) through openssh, the version we had before 2.3.0p1 (don't remember it), and with two machines it crashed every once in a while. But as you said, things change rapidly in the open source community. Which makes me glad that I work with it. A brief question: Has anybody seen any problems like crashes, terminated connections or anything alike after some weeks of permanent connection, a few hundred megs running through it with all kinds of data, with thousands of connection forward attempts (both X11 as well as tcp ports) or anything like that with the latest openssh versions?

Frankly, SSH1 worries me. It seems inherently insecure and is featured on Bugtraq about as often as wuftpd - Exploit of the Month Club. ;)

I disagree with that. There have been some problems, but others did, too. Two incidents in two years don't make a good statistics yet. The ssh code reads very cleanly, and in many corners you can see that it has been writen thoughtfully and with security in mind.

M

Btw, Holger van Lengerich notified me that the URLs do not match. Please change ftp.suse.com to read ftp.suse.de. The ssh updates are on the German side of the world because of licensing and weapons export issues. :-) The sums match, though. Thanks for the note, Holger. Later... Roman. -- - - | Roman Drahtmüller // "Caution: Cape does | SuSE GmbH - Security Phone: // not enable user to fly." | Nürnberg, Germany +49-911-740530 // (Batman Costume warning label) | - -

Roman Drahtmueller writes:

...

I'd like to see a response to Roman's comment about OpenSSH lacking functionality and stability.

I think I will have to give it another try. I was running backups (tar through an ssh stdio connection) through openssh, the version we had before 2.3.0p1 (don't remember it), and with two machines it crashed every once in a while. But as you said, things change rapidly in the open source community. Which makes me glad that I work with it.

A brief question: Has anybody seen any problems like crashes, terminated connections or anything alike after some weeks of permanent connection, a few hundred megs running through it with all kinds of data, with thousands of connection forward attempts (both X11 as well as tcp ports) or anything like that with the latest openssh versions?

I've had problems with OpenSSH 2.3.0p1, but they're problems with establishing connections, not with the connection flaking out after it has successfully started. (FWIW: the licensing for ssh-2.4.0 (from ssh.com) is less restrictive than some of the previous versions of the ssh-2.x software. It's still not free for everyone, but at least non-profit organizations can use it without paying hefty fees.) I've just started working with OpenSSH recently, so there may be some configuration issues that I've just missed, but here are some of my observations: With regards to OpenSSH 2.3.0p1: - Under some circumstances I could not get 'scp' to work. It was always with a particular host (call it host A), and I'm guessing that it had to do with a long banner message that was printed when logging into this host. Anyway, scp would always fail with a "protocol error: bad mode" message when connecting to this host. For example: user@hostB:~ > scp -v -v -v hostA:/etc/passwd . Executing: program /usr/local/bin/ssh host hostA, user (unspecified), command scp -v -f /etc/ passwd user@hostA's password: protocol error: bad mode user@hostB:~ > Write failed flushing stdout buffer. Sending file modes: C0644 266430 passwd write stdout: Broken pipe - There are some interoperability issues between the ssh.com version of scp (version 2.4.0) and the one in OpenSSH: I can't use scp from the ssh.com version to connect to the OpenSSH version of scp, though I can connect in the other direction fine. - It appears that the "RhostsRSAAuthentication" option for authentication is not available when using the ssh 2.0 protocol (though it does work with the 1.5 protocol). This appears to be a "working as designed" issue. - And one non-Linux issue: the SIA authentication for the Dec OSF/1 version of unix doesn't work (I had to do modify some of the source code in OpenSSH to get it to work). - Dan (Daniel Carroll)

f-secure ssh is a good idea, I tested it for weeks on a RedHat server as stable as ssh even for backups. But as far as I know it doesn't support ssh1. Neither daemon nor client.

You might want to read the license, and then make sure your IT budget has enough room to buy F-secure's product. I have an article coming out on this subject, it's ... well, I'll post the url once done. Things aren't so happy in happy-land :P. -Kurt -Kurt

Quoting Kurt Seifried (listuser@seifried.org) on Wed, Feb 14, 2001 at 11:21:16PM +0100:

...

f-secure ssh is a good idea, I tested it for weeks on a RedHat server as stable as ssh even for backups. But as far as I know it doesn't support ssh1. Neither daemon nor client.

You might want to read the license, and then make sure your IT budget has enough room to buy F-secure's product.

Hmm, there are IT organizations that run entirely on Linux. no need to pay for F-Secure, it is free there. Then there are IT organizations that needed something stable a year ago, so they run F-Secure. And when I connect to them I have to run F-Secure as well, as the blasted keys of OpenSSH did not work the last time I tried it.... Me thinks shipping both F-Secure and OpenSSH is the way to go. Drop the old SSH-1. cheers afx -- atsec information security GmbH Phone: +49-89-44249830 Steinstrasse 68 Fax: +49-89-44249831 D-81667 Muenchen, Germany WWW: www.atsec.com May the Source be with you!

Quoting Kurt Seifried (listuser@seifried.org) on Thu, Feb 15, 2001 at 06:27:44PM +0100:

...

Hmm, there are IT organizations that run entirely on Linux. no need to pay for F-Secure, it is free there.

You might want to read the license.... Uhmm... F-Secure is not really free for use outside of non-commercial use in some situations.

Well, Tatu posted on Bugtraq that it is free for any use on Linux and the free BSD systems. afx -- atsec information security GmbH Phone: +49-89-44249830 Steinstrasse 68 Fax: +49-89-44249831 D-81667 Muenchen, Germany WWW: www.atsec.com May the Source be with you!

Quoting Kurt Seifried (listuser@seifried.org) on Sat, Feb 17, 2001 at 05:55:34AM +0100:

...

Well, Tatu posted on Bugtraq that it is free for any use on Linux and the free BSD systems.

Have you actually READ the license? it's not very free.

Nope, but I assume that stetemens from tha author are correct. afx -- atsec information security GmbH Phone: +49-89-44249830 Steinstrasse 68 Fax: +49-89-44249831 D-81667 Muenchen, Germany WWW: www.atsec.com May the Source be with you!