Opened 20 years ago

Closed 18 years ago

Last modified 13 years ago

#44 closed defect (fixed)

openssh-3.6.1p2

Reported by: markh@… Owned by: larry@…
Priority: normal Milestone:
Component: BOOK Version: ~CVS
Severity: normal Keywords:
Cc:

Description

Change History (31)

comment:1 by llawrence@…, 20 years ago

Owner: changed from blfs-book@… to llawrence@…
Status: newassigned

comment:2 by markh@…, 20 years ago

Summary: openssh-3.0p1openssh-3.1p1

updating bug version to 3.1p1 (note that previous versions were the subject of a security advisory last week).

By the way, here are my openssh install instructions in case it helps with writing them

./configure --prefix=/usr --libexecdir=/usr/sbin --sysconfdir=/etc/ssh &&

(mention possiblity of using --with-md5-passwords if you've used them

This is important; I forgot to use it and spent a couple of hours wondering why I couldn't ssh into my machine..)

make && make install

Note that the install routine is clever enough NOT to overwrite the keys if you already have them meaning it's safe to upgrade this way.

Explanation: --sysconfdir=/etc/ssh ; Normal reasoning

--libexecdir=/usr/sbin ; ssh-askpass is an X11 utility which ssh thinks should go in /usr/libexec. It'll only be compiled if you have X installed (I think - check this) but should go in /usr/sbin anyways not /usr/libexec

Configuration: ssh itself doesn't really need configuration

/etc/ssh_config can be done on a per-user basis but can be overriden on the command line anyways so it isn't usually necessary to set it up.

sshd script: cat > /etc/init.d/sshd << EOF #!/bin/sh # Begin /etc/init.d/sshd

# # Include the functions declared in the /etc/init.d/functions file #

source /etc/init.d/functions

case "$1" in

start)

echo -n "Starting sshd..." loadproc /usr/sbin/sshd ;;

stop)

echo -n "Stopping sshd..." killproc /usr/sbin/sshd ;;

restart)

$0 stop /usr/bin/sleep 1 $0 start

status)

statusproc /usr/sbin/sshd ;;

*)

echo "Usage: $0 {start|stop|restart|status}" exit 1 ;;

esac

# End /etc/init.d/sshd EOF chmod 755 /etc/init.d/sshd cd /etc ln -s ../init.d/sshd rc0.d/K750sshd ln -s ../init.d/sshd rc1.d/K750sshd ln -s ../init.d/sshd rc2.d/K750sshd ln -s ../init.d/sshd rc3.d/S250sshd ln -s ../init.d/sshd rc4.d/S250sshd ln -s ../init.d/sshd rc5.d/S250sshd ln -s ../init.d/sshd rc6.d/K750sshd

==> Also, user must check /etc/ssh/sshd_config file. You may wish to restrict access; e.g. root access or by ip address. LIST OF POSSIBLE SETTINGS TO EXAMINE: ListenAddress 0.0.0.0 PermitRootLogin yes X11Forwarding no #PrintLastLog no

More info on configuration can be found in man sshd, ssh and ssh-agent.

PROVIDES: scp, sftp, ssh, ssh-add, ssh-agent, ssh-keygen, ssh-keyscan, sftp-server, sshd

Can also provide ssh-askpass if X is installed

comment:3 by llawrence@…, 20 years ago

There are some differences that I would like to evaluate, but it will be later this week. I would like the --libexecdir=/usr/sbin to be incorporated, and I agree on the notes. I need to do more research on md5 passwords to understand when to and when not to, and when in LFS the choice was made? I also have to research the configuration changes. Do you want to commit, then get changes or wait?

comment:4 by markh@…, 20 years ago

i've included the --libexecdir change and committed the instructions incorporating the --with-md5 thing.

I *don't* think that --with-md5 hurts even if you don't use md5 passwords so you're right; it's probably best just to include it by default.

Can you look at CVS (either the XML or when the HTML regenerates tomorrow) and let me know if it's ok.

comment:5 by markh@…, 20 years ago

hmm. i've just glanced at the openssh hint and it says the following:

--disable-suid-ssh

Note that I install the ssh binary -not- suid root. Root priviledges are needed by the client only when using rhosts for authentication, which requires ssh to bind to a priviledged port. Since rhosts is an old, deprecated authentication method, insecure by design, I'm not using it, and neither should you.

Opinions, Larry?

comment:6 by llawrence@…, 20 years ago

ssh with suid is required to log on to servers that use .rhosts for authentication, so this would be disabled. Since I set up both the client and the server, I know the .rhosts is not used and the --disable-suid-ssh makes sense.

The documentation states "The root privileges are only used to make the connection (from a privileged socket). Any extra privileges are dropped before calling ssh_login.".

I'm for putting it into configure, with a note in explanations on the effects.

comment:7 by llawrence@…, 20 years ago

All Stop links are in the wrong place. I put them after sendsignals, so they show as not running when the stop script runs. Changing to K09 so that any errors can hit the logs.

Note to Mark: Any chance of LFS giving us more room for daemons (we have 1 - 9 before the logs turn off) or is this intentional (standard practice). gpm may also be affected.

comment:8 by llawrence@…, 20 years ago

ssh-askpass is no longer in OpenSSH3.1. gnome-ssh-askpass is in the contrib section, but does not compile with ./configure (uses cc gnome-config..). In README of contrib directory: X11 SSH Askpass Jim Knoble has written an excellent X11 passphrase requester. This is highly recommended: http://www.ntrnet.net/~jmknoble/software/X11-ssh-askpass/index.html

If it is pre-installed, it will find it during the ./configure (tested)

Would you like a "openSSH will utilize ssh-askpass (an X11 ..) and PAM if they are already installed." in the depends section.

comment:9 by markh@…, 20 years ago

this appears to be done now. If there are any more problems, we'll reopen the bug. Larry, can you change the status to Resolve | Fixed please.

comment:10 by llawrence@…, 20 years ago

Resolution: fixed
Status: assignedclosed

comment:11 by markh@…, 19 years ago

Milestone: 1.0

comment:12 by markh@…, 19 years ago

Resolution: fixed
Status: closedreopened
Summary: openssh-3.1p1openssh-3.2.2p1

I wondered how we got so far behind so quickly but they jumped from openssh-3.1p1 to openssh-3.2.2p1.

comment:13 by markh@…, 19 years ago

WARNING: I've just been trying this out and it refuses to compile using md5-passwords so we need to find out why before updating the book.

comment:14 by larry@…, 19 years ago

Owner: changed from llawrence@… to larry@…
Status: reopenednew

comment:15 by llawrence@…, 19 years ago

Resolution: fixed
Status: newclosed

comment:16 by larry@…, 19 years ago

Resolution: fixed
Status: closedreopened
Summary: openssh-3.2.2p1openssh-3.2.3

Version release

comment:17 by larry@…, 19 years ago

Resolution: fixed
Status: reopenedclosed

comment:18 by larry@…, 19 years ago

Resolution: fixed
Status: closedreopened
Summary: openssh-3.2.3openssh-3.3p1

version release

comment:19 by larry@…, 19 years ago

Resolution: fixed
Status: reopenedclosed

comment:20 by larry@…, 19 years ago

Resolution: fixed
Status: closedreopened
Summary: openssh-3.3p1openssh-3.4p1

Version update - Security fix.

comment:21 by larry@…, 19 years ago

Resolution: fixed
Status: reopenedclosed

There is an annoying bug in the install script so that when it checks to see if you created the sshd user, it prints the test line which ends with Echo -> you have not created the user. It looks like a warning message and we will probably get questions on this.

comment:22 by highos@…, 19 years ago

Resolution: fixed
Status: closedreopened
Summary: openssh-3.4p1openssh-3.5p1

Version increment (3.5p1)

comment:23 by larry@…, 19 years ago

Resolution: fixed
Status: reopenedclosed

comment:24 by highos@…, 18 years ago

Resolution: fixed
Status: closedreopened
Summary: openssh-3.5p1openssh-3.6p1

Version increment (3.6p1)

comment:25 by tushar@…, 18 years ago

To link statically to openssl , use the following (can be added as an option to the compile instructions):

cp configure configure.orig && sed -e "s:-lcrypto:/usr/lib/libcrypto.a:g" configure.orig > configure

comment:26 by highos@…, 18 years ago

Summary: openssh-3.6p1openssh-3.6.1p1

Version increment (3.6.1p1); That was fast..

comment:27 by markh@…, 18 years ago

updated to 3.6.1p1.

I haven't closed the bug because of Tush's comment #17 - it's Larry's call on that one.

comment:28 by larry@…, 18 years ago

Resolution: fixed
Status: reopenedclosed

comment:29 by highos@…, 18 years ago

Resolution: fixed
Status: closedreopened
Summary: openssh-3.6.1p1openssh-3.6.1p2

Version increment (3.6.1p2)

comment:30 by larry@…, 18 years ago

Resolution: fixed
Status: reopenedclosed

comment:31 by (none), 13 years ago

Milestone: 1.0

Milestone 1.0 deleted

Note: See TracTickets for help on using tickets.