Hi,
just a brief heads-up: There will be updates for ssh (and probably also
the kernel) later today to address the latest security problems with ssh.
Stay tuned.
Roman.
--
- -
| Roman Drahtmüller
Hi Roman, I know this would count as a last minute request... but can you folks package an SSH rpm (OpenSSH preferrably) that is compiled with libwrap? Being the lazy person I am, it would be much easier that having to unpack, rebuild and repack the module that is available on the website. :-) Thanks, Herman Roman Drahtmueller wrote:
Hi,
just a brief heads-up: There will be updates for ssh (and probably also the kernel) later today to address the latest security problems with ssh. Stay tuned.
Roman. -- - - | Roman Drahtmüller
// "Caution: Cape does | SuSE GmbH - Security Phone: // not enable user to fly." | Nürnberg, Germany +49-911-740530 // (Batman Costume warning label) | - - --------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Hi Roman,
I know this would count as a last minute request... but can you folks package an SSH rpm (OpenSSH preferrably) that is compiled with libwrap? Being the lazy person I am, it would be much easier that having to unpack, rebuild and repack the module that is available on the website. :-)
We'll do. It was a bug a while ago that the package wasn't compiled against libwrap.a.
Thanks, Herman
Roman.
--
- -
| Roman Drahtmüller
On Mon, 12 Feb 2001 07:06:06 -0800, you wrote:
I know this would count as a last minute request... but can you folks package an SSH rpm (OpenSSH preferrably) that is compiled with libwrap? Being the
Why don't you compile it by yourself? I've downloaded "openssh-2.3.0p1.tar.gz" and compiled as follows: # ./configure --prefix=/usr/local/openssh --with-tcp-wrappers --with-ipv4-default # make # make install This builts all ssh files in /usr/local/openssh (I don't like mix with SuSE binaries). Then I've modified /etc/rc.d/sshd to use the files from this directory. You may include at start tag: startproc /usr/local/openssh/bin/sshd -f /usr/local/openssh/etc/sshd_config It isn't difficult :-P Having the source you can apply instantly further patches, etc. Fastest way for always being updated without waiting for .rpm's releases! :) =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ** RoMaN SoFt / LLFB ** roman@madrid.com http://pagina.de/romansoft ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Did you READ the part about my being lazy? Yes, I could do it myself, and have for the version that weren't compiled using libwrap. I was simply asking about future RPM, and whether this could be done. Thanks to Roman Drahtmueller for the positive response. - Herman On Mon, 12 Feb 2001, RoMaN SoFt / LLFB!! wrote: ->>On Mon, 12 Feb 2001 07:06:06 -0800, you wrote: ->> ->>>I know this would count as a last minute request... but can you folks package ->>>an SSH rpm (OpenSSH preferrably) that is compiled with libwrap? Being the ->> ->> Why don't you compile it by yourself? ->> ->> I've downloaded "openssh-2.3.0p1.tar.gz" and compiled as follows: ->> ->># ./configure --prefix=/usr/local/openssh --with-tcp-wrappers ->>--with-ipv4-default ->># make ->># make install ->> ->> This builts all ssh files in /usr/local/openssh (I don't like mix ->>with SuSE binaries). Then I've modified /etc/rc.d/sshd to use the ->>files from this directory. You may include at start tag: ->>startproc /usr/local/openssh/bin/sshd -f ->>/usr/local/openssh/etc/sshd_config ->> ->> It isn't difficult :-P ->> ->> Having the source you can apply instantly further patches, etc. ->>Fastest way for always being updated without waiting for .rpm's ->>releases! :) ->> ->>=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ->> ** RoMaN SoFt / LLFB ** ->> roman@madrid.com ->> http://pagina.de/romansoft ->>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ->> ->>--------------------------------------------------------------------- ->>To unsubscribe, e-mail: suse-security-unsubscribe@suse.com ->>For additional commands, e-mail: suse-security-help@suse.com ->>
Herman, The last version of openssh (openssh-2.3.0p1-0) was built with libwrap as far as I know, but this version was never properly announced. There was a message to this list but neither an alert nor the update was put on the web site. Bob On Mon, 12 Feb 2001, Herman Knief wrote:
Hi Roman,
I know this would count as a last minute request... but can you folks package an SSH rpm (OpenSSH preferrably) that is compiled with libwrap? Being the lazy person I am, it would be much easier that having to unpack, rebuild and repack the module that is available on the website. :-)
Thanks, Herman
Roman Drahtmueller wrote:
Hi,
just a brief heads-up: There will be updates for ssh (and probably also the kernel) later today to address the latest security problems with ssh. Stay tuned.
Roman. -- - - | Roman Drahtm�ller
// "Caution: Cape does | SuSE GmbH - Security Phone: // not enable user to fly." | N�rnberg, Germany +49-911-740530 // (Batman Costume warning label) | - - --------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
============================================================== Bob Vickers R.Vickers@cs.rhul.ac.uk Dept of Computer Science, Royal Holloway, University of London WWW: http://www.cs.rhul.ac.uk/home/bobv Phone: +44 1784 443691
Ahhh... cool.. Thanks Bob.
- H
On Mon, 12 Feb 2001, Bob Vickers wrote:
->>Herman,
->>
->>The last version of openssh (openssh-2.3.0p1-0) was built with libwrap as
->>far as I know, but this version was never properly announced. There was a
->>message to this list but neither an alert nor the update was put on
->>the web site.
->>
->>Bob
->>
->>On Mon, 12 Feb 2001, Herman Knief wrote:
->>
->>> Hi Roman,
->>>
->>> I know this would count as a last minute request... but can you folks package
->>> an SSH rpm (OpenSSH preferrably) that is compiled with libwrap? Being the
->>> lazy person I am, it would be much easier that having to unpack, rebuild and
->>> repack the module that is available on the website. :-)
->>>
->>> Thanks,
->>> Herman
->>>
->>> Roman Drahtmueller wrote:
->>>
->>> > Hi,
->>> >
->>> > just a brief heads-up: There will be updates for ssh (and probably also
->>> > the kernel) later today to address the latest security problems with ssh.
->>> > Stay tuned.
->>> >
->>> > Roman.
->>> > --
->>> > - -
->>> > | Roman Drahtm�ller
On Mon, 12 Feb 2001, Roman Drahtmueller wrote:
just a brief heads-up: There will be updates for ssh (and probably also the kernel) later today to address the latest security problems with ssh. Stay tuned.
Hopefully, those update will available today - even for all Versions of 6.x and above ... Greetings, Joerg Henner. -- LinuxHaus Stuttgart | Tel.: +49 (7 11) 2 85 19 05 J. Henner & A. Reyer, Datentechnik GbR | D2: +49 (1 72) 7 35 31 09 | Fax: +49 (7 11) 5 78 06 92 Linux, Netzwerke, Consulting & Support | http://lihas.de
On Mon, 12 Feb 2001, Roman Drahtmueller wrote:
just a brief heads-up: There will be updates for ssh (and probably also the kernel) later today to address the latest security problems with ssh. Stay tuned.
I'm still missing the Announcement here for: - SSH Updates for the CERT Advisories dated 09-12 Feb 2001 - Kernel-Updates for the ptrace() and sysctl() Bug-Announcements were are those fixes located ? Greetings, Joerg Henner. -- LinuxHaus Stuttgart | Tel.: +49 (7 11) 2 85 19 05 J. Henner & A. Reyer, Datentechnik GbR | D2: +49 (1 72) 7 35 31 09 | Fax: +49 (7 11) 5 78 06 92 Linux, Netzwerke, Consulting & Support | http://lihas.de
I'm still missing the Announcement here for:
- SSH Updates for the CERT Advisories dated 09-12 Feb 2001
Due to a communication problem we ran into a licensing problem (the ssh versions after 1.2.27 have an entirely different license which is not acceptable for a Linux distribution). I'll have the patches applied myself if the usual way doesn't work out until 1600.
- Kernel-Updates for the ptrace() and sysctl() Bug-Announcements
The fix for the ptrace() race was incomplete. It is non-trivial to handle. Be sure we're working on it.
were are those fixes located ?
-
Joerg Henner.
Roman.
--
- -
| Roman Drahtmüller
I'm still missing the Announcement here for:
- SSH Updates for the CERT Advisories dated 09-12 Feb 2001
Due to a communication problem we ran into a licensing problem (the ssh versions after 1.2.27 have an entirely different license which is not acceptable for a Linux distribution). I'll have the patches applied myself if the usual way doesn't work out until 1600.
Why not drop ssh and use OpenSSH?
- Kernel-Updates for the ptrace() and sysctl() Bug-Announcements
The fix for the ptrace() race was incomplete. It is non-trivial to handle. Be sure we're working on it.
Funny that, kernel calls being tricky and all to fix ;)
Joerg Henner.
Roman.
Kurt Seifried, seifried@securityportal.com Securityportal - your focal point for security on the 'net
On Mit, 14 Feb 2001, Kurt Seifried wrote:
- SSH Updates for the CERT Advisories dated 09-12 Feb 2001 Due to a communication problem we ran into a licensing problem (the ssh versions after 1.2.27 have an entirely different license which is not acceptable for a Linux distribution). I'll have the patches applied myself if the usual way doesn't work out until 1600. Why not drop ssh and use OpenSSH?
Great idea - just sitting hier at a customer, and saw that on SuSE 6.2 only the 1.2.27-18 is installed :( Mit freundlichen Grüßen, Joerg Henner. -- LinuxHaus Stuttgart | Tel.: +49 (7 11) 2 85 19 05 J. Henner & A. Reyer, Datentechnik GbR | D2: +49 (1 72) 7 35 31 09 | Fax: +49 (7 11) 5 78 06 92 Linux, Netzwerke, Consulting & Support | http://lihas.de
Why not drop ssh and use OpenSSH?
Great idea - just sitting hier at a customer, and saw that on SuSE 6.2 only the 1.2.27-18 is installed :(
Bad idea. 1.2.27 has been the only secure shell implementation (along with the newer versions) that was capable of running a backup through an ssh connection. It's a matter of stability... We'll have to focus on openssh, though. Maybe, in future releases of the SuSE-distribution, there will be the official ssh version from f-secure included (it almost was in 7.1, but I didn't get the written agreement from the finland folks).
Joerg Henner.
Roman.
--
- -
| Roman Drahtmüller
* Roman Drahtmueller wrote on Wed, Feb 14, 2001 at 17:05 +0100:
Why not drop ssh and use OpenSSH?
Bad idea. 1.2.27 has been the only secure shell implementation (along with the newer versions) that was capable of running a backup through an ssh connection. It's a matter of stability...
Well, that means, that OpenSSH is not stable? What problems do I have to expect? oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
Bad idea. 1.2.27 has been the only secure shell implementation (along with the newer versions) that was capable of running a backup through an ssh connection. It's a matter of stability...
We'll have to focus on openssh, though. Maybe, in future releases of the SuSE-distribution, there will be the official ssh version from f-secure included (it almost was in 7.1, but I didn't get the written agreement from the finland folks).
NO! BAD! Their (ssh.com) license is extremely restrictive despite the "free use" (limited) for Linux users. Use OpenSSH. It is free. The rest ARE NOT.
Roman.
-Kurt
Bad idea. 1.2.27 has been the only secure shell implementation (along with the newer versions) that was capable of running a backup through an ssh connection. It's a matter of stability...
Eh? I use OpenSSH to backup stuff all the time...I missed the first part of this thread, we're talking about system backups like with dump or tar, right? -- Jeremy [jeremy@wellsgaming.com]
NO! BAD! Their (ssh.com) license is extremely restrictive despite the "free use" (limited) for Linux users. Use OpenSSH. It is free. The rest ARE NOT.
I agree completely with this. I see no reason to run a restrictive commercial program on a OS that is Free Software especially when there is a Free/Open alternative that works really well. I'm using OpenSSH 2.3.0p1. It works really well for me. I've experienced no problems whatsoever. Earlier releases of OpenSSH did have a tendence to crash but things change rapidly especially in open source software. I'd like to see a response to Roman's comment about OpenSSH lacking functionality and stability. Frankly, SSH1 worries me. It seems inherently insecure and is featured on Bugtraq about as often as wuftpd - Exploit of the Month Club. ;) M
Frankly, SSH1 worries me. It seems inherently insecure and is featured on Bugtraq about as often as wuftpd - Exploit of the Month Club. ;)
Not quite true. Most of those were implementation issues, of which OpenSSH was free (one they fixed by accident a while ago, lucky buggers ;).... There are some attacks still in SSH1, but the OpenSSH group will be issuing fixes shortly (as for SSH from F-Secure I'm not so sure).
M
-Kurt
I agree completely with this. I see no reason to run a restrictive commercial program on a OS that is Free Software especially when there is a Free/Open alternative that works really well.
Good point.
I'm using OpenSSH 2.3.0p1. It works really well for me. I've experienced no problems whatsoever. Earlier releases of OpenSSH did have a tendence to crash but things change rapidly especially in open source software.
I'd like to see a response to Roman's comment about OpenSSH lacking functionality and stability.
I think I will have to give it another try. I was running backups (tar through an ssh stdio connection) through openssh, the version we had before 2.3.0p1 (don't remember it), and with two machines it crashed every once in a while. But as you said, things change rapidly in the open source community. Which makes me glad that I work with it. A brief question: Has anybody seen any problems like crashes, terminated connections or anything alike after some weeks of permanent connection, a few hundred megs running through it with all kinds of data, with thousands of connection forward attempts (both X11 as well as tcp ports) or anything like that with the latest openssh versions?
Frankly, SSH1 worries me. It seems inherently insecure and is featured on Bugtraq about as often as wuftpd - Exploit of the Month Club. ;)
I disagree with that. There have been some problems, but others did, too. Two incidents in two years don't make a good statistics yet. The ssh code reads very cleanly, and in many corners you can see that it has been writen thoughtfully and with security in mind.
M
Btw, Holger van Lengerich notified me that the URLs do not match.
Please change ftp.suse.com to read ftp.suse.de. The ssh updates are on the
German side of the world because of licensing and weapons export issues.
:-) The sums match, though.
Thanks for the note, Holger.
Later...
Roman.
--
- -
| Roman Drahtmüller
Roman asked for experience of intensively used OpenSSH. We backup our Linux boxes to Tru64 servers using a mixture of SSH products and have experienced no stability problems at all. Every night some data will be transferred and once a month a few gigabytes will be transferred. The setup is that an ssh client (1.2.25) on Tru64 is calling an OpenSSH sshd process on the linux boxes. So I can say that in my experience the OpenSSH server is rock solid under heavy load. The OpenSSH clients also work well, but they don't see the same kind of load. Bob ============================================================== Bob Vickers R.Vickers@cs.rhul.ac.uk Dept of Computer Science, Royal Holloway, University of London WWW: http://www.cs.rhul.ac.uk/home/bobv Phone: +44 1784 443691
Roman Drahtmueller
I'd like to see a response to Roman's comment about OpenSSH lacking functionality and stability.
I think I will have to give it another try. I was running backups (tar through an ssh stdio connection) through openssh, the version we had before 2.3.0p1 (don't remember it), and with two machines it crashed every once in a while. But as you said, things change rapidly in the open source community. Which makes me glad that I work with it.
A brief question: Has anybody seen any problems like crashes, terminated connections or anything alike after some weeks of permanent connection, a few hundred megs running through it with all kinds of data, with thousands of connection forward attempts (both X11 as well as tcp ports) or anything like that with the latest openssh versions?
I've had problems with OpenSSH 2.3.0p1, but they're problems with establishing connections, not with the connection flaking out after it has successfully started. (FWIW: the licensing for ssh-2.4.0 (from ssh.com) is less restrictive than some of the previous versions of the ssh-2.x software. It's still not free for everyone, but at least non-profit organizations can use it without paying hefty fees.) I've just started working with OpenSSH recently, so there may be some configuration issues that I've just missed, but here are some of my observations: With regards to OpenSSH 2.3.0p1: - Under some circumstances I could not get 'scp' to work. It was always with a particular host (call it host A), and I'm guessing that it had to do with a long banner message that was printed when logging into this host. Anyway, scp would always fail with a "protocol error: bad mode" message when connecting to this host. For example: user@hostB:~ > scp -v -v -v hostA:/etc/passwd . Executing: program /usr/local/bin/ssh host hostA, user (unspecified), command scp -v -f /etc/ passwd user@hostA's password: protocol error: bad mode user@hostB:~ > Write failed flushing stdout buffer. Sending file modes: C0644 266430 passwd write stdout: Broken pipe - There are some interoperability issues between the ssh.com version of scp (version 2.4.0) and the one in OpenSSH: I can't use scp from the ssh.com version to connect to the OpenSSH version of scp, though I can connect in the other direction fine. - It appears that the "RhostsRSAAuthentication" option for authentication is not available when using the ssh 2.0 protocol (though it does work with the 1.5 protocol). This appears to be a "working as designed" issue. - And one non-Linux issue: the SIA authentication for the Dec OSF/1 version of unix doesn't work (I had to do modify some of the source code in OpenSSH to get it to work). - Dan (Daniel Carroll)
Why not drop ssh and use OpenSSH?
Great idea - just sitting hier at a customer, and saw that on SuSE 6.2 only the 1.2.27-18 is installed :(
Bad idea. 1.2.27 has been the only secure shell implementation (along with the newer versions) that was capable of running a backup through an ssh connection. It's a matter of stability...
We'll have to focus on openssh, though. Maybe, in future releases of the SuSE-distribution, there will be the official ssh version from f-secure included (it almost was in 7.1, but I didn't get the written agreement from the finland folks).
Roman. -- - - [ Sorry, Roman, shouldn't be a direkt reply. Now again to the list.... ]
f-secure ssh is a good idea, I tested it for weeks on a RedHat server as stable as ssh even for backups. But as far as I know it doesn't support ssh1. Neither daemon nor client. * * Ralf Koch * mailto:info@formel4.de *
f-secure ssh is a good idea, I tested it for weeks on a RedHat server as stable as ssh even for backups. But as far as I know it doesn't support ssh1. Neither daemon nor client.
You might want to read the license, and then make sure your IT budget has enough room to buy F-secure's product. I have an article coming out on this subject, it's ... well, I'll post the url once done. Things aren't so happy in happy-land :P. -Kurt -Kurt
Ouch. I tested F-Secure on a completely installed system of a second company, so I never worried about licensing. I totally agree with you that usage of non-open software is definetly not what I want on my system. I stated the F-Secure comment just to underline that it IS a stable ssh solution. We used it for transfering hundreds of Megs with different protocolls and in contrast to OpenSSH (I believe Version 2.1.anything) there was no crash.
f-secure ssh is a good idea, I tested it for weeks on a RedHat server as stable as ssh even for backups. But as far as I know it doesn't support ssh1. Neither daemon nor client.
You might want to read the license, and then make sure your IT budget has enough room to buy F-secure's product.
I have an article coming out on this subject, it's ... well, I'll post the url once done. Things aren't so happy in happy-land :P.
Happy-land is a nice place to live. If you don't worry about licensing, because it is not YOUR system you test a product on.....
-Kurt
-Kurt
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Cheers, Ralf
Quoting Kurt Seifried (listuser@seifried.org) on Wed, Feb 14, 2001 at 11:21:16PM +0100:
f-secure ssh is a good idea, I tested it for weeks on a RedHat server as stable as ssh even for backups. But as far as I know it doesn't support ssh1. Neither daemon nor client.
You might want to read the license, and then make sure your IT budget has enough room to buy F-secure's product.
Hmm, there are IT organizations that run entirely on Linux. no need to pay for F-Secure, it is free there. Then there are IT organizations that needed something stable a year ago, so they run F-Secure. And when I connect to them I have to run F-Secure as well, as the blasted keys of OpenSSH did not work the last time I tried it.... Me thinks shipping both F-Secure and OpenSSH is the way to go. Drop the old SSH-1. cheers afx -- atsec information security GmbH Phone: +49-89-44249830 Steinstrasse 68 Fax: +49-89-44249831 D-81667 Muenchen, Germany WWW: www.atsec.com May the Source be with you!
Hmm, there are IT organizations that run entirely on Linux. no need to pay for F-Secure, it is free there.
You might want to read the license.... Uhmm... F-Secure is not really free for use outside of non-commercial use in some situations.
Then there are IT organizations that needed something stable a year ago, so they run F-Secure.
And when I connect to them I have to run F-Secure as well, as the blasted keys of OpenSSH did not work the last time I tried it....
Me thinks shipping both F-Secure and OpenSSH is the way to go. Drop the old SSH-1.
cheers afx
Kurt Seifried, seifried@securityportal.com Securityportal - your focal point for security on the 'net
Quoting Kurt Seifried (listuser@seifried.org) on Thu, Feb 15, 2001 at 06:27:44PM +0100:
Hmm, there are IT organizations that run entirely on Linux. no need to pay for F-Secure, it is free there.
You might want to read the license.... Uhmm... F-Secure is not really free for use outside of non-commercial use in some situations.
Well, Tatu posted on Bugtraq that it is free for any use on Linux and the free BSD systems. afx -- atsec information security GmbH Phone: +49-89-44249830 Steinstrasse 68 Fax: +49-89-44249831 D-81667 Muenchen, Germany WWW: www.atsec.com May the Source be with you!
Quoting Kurt Seifried (listuser@seifried.org) on Sat, Feb 17, 2001 at 05:55:34AM +0100:
Well, Tatu posted on Bugtraq that it is free for any use on Linux and the free BSD systems.
Have you actually READ the license? it's not very free.
Nope, but I assume that stetemens from tha author are correct. afx -- atsec information security GmbH Phone: +49-89-44249830 Steinstrasse 68 Fax: +49-89-44249831 D-81667 Muenchen, Germany WWW: www.atsec.com May the Source be with you!
Have you actually READ the license? it's not very free.
Nope, but I assume that stetemens from tha author are correct. afx
Ok, read the license file that comes with SSH, you should also read the webpage that Tatu's statements are on: http://www.ssh.com/about/press/2000/release15082000.html And my article on Tatu attempting to sue OpenSSH/ScanSSH for trademark infringement: http://www.securityportal.com/articles/ssh20010214.html Assumptions are a bad thing to make. Tatu's statements don't really matter a damn, oddly enough his statements on use/etc haven't been included in the new license and as far as I can tell only apply to SSH 2.3 and not 2.4 (current one). You really should read the fine print. P.S. there are some security considerations as well, OpenSSH portable 2.5.1 is out, I highly reccomend installing it. Kurt Seifried, seifried@securityportal.com Securityportal - your focal point for security on the 'net
participants (12)
-
Andreas Siegert
-
Bob Vickers
-
Daniel Carroll
-
Herman Knief
-
Jeremy Buchmann
-
Joerg Henner
-
Kurt Seifried
-
Mr. M
-
Ralf Koch
-
Roman Drahtmueller
-
RoMaN SoFt / LLFB!!
-
Steffen Dettmer