Change History (31)
comment:1 by , 23 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:2 by , 23 years ago
| Summary: | openssh-3.0p1 → openssh-3.1p1 |
|---|
comment:3 by , 23 years ago
There are some differences that I would like to evaluate, but it will be later this week. I would like the --libexecdir=/usr/sbin to be incorporated, and I agree on the notes. I need to do more research on md5 passwords to understand when to and when not to, and when in LFS the choice was made? I also have to research the configuration changes. Do you want to commit, then get changes or wait?
comment:4 by , 23 years ago
i've included the --libexecdir change and committed the instructions incorporating the --with-md5 thing.
I *don't* think that --with-md5 hurts even if you don't use md5 passwords so you're right; it's probably best just to include it by default.
Can you look at CVS (either the XML or when the HTML regenerates tomorrow) and let me know if it's ok.
comment:5 by , 23 years ago
hmm. i've just glanced at the openssh hint and it says the following:
--disable-suid-ssh
Note that I install the ssh binary -not- suid root. Root priviledges are needed by the client only when using rhosts for authentication, which requires ssh to bind to a priviledged port. Since rhosts is an old, deprecated authentication method, insecure by design, I'm not using it, and neither should you.
Opinions, Larry?
comment:6 by , 23 years ago
ssh with suid is required to log on to servers that use .rhosts for authentication, so this would be disabled. Since I set up both the client and the server, I know the .rhosts is not used and the --disable-suid-ssh makes sense.
The documentation states "The root privileges are only used to make the connection (from a privileged socket). Any extra privileges are dropped before calling ssh_login.".
I'm for putting it into configure, with a note in explanations on the effects.
comment:7 by , 23 years ago
All Stop links are in the wrong place. I put them after sendsignals, so they show as not running when the stop script runs. Changing to K09 so that any errors can hit the logs.
Note to Mark: Any chance of LFS giving us more room for daemons (we have 1 - 9 before the logs turn off) or is this intentional (standard practice). gpm may also be affected.
comment:8 by , 23 years ago
ssh-askpass is no longer in OpenSSH3.1. gnome-ssh-askpass is in the contrib section, but does not compile with ./configure (uses cc gnome-config..). In README of contrib directory: X11 SSH Askpass Jim Knoble has written an excellent X11 passphrase requester. This is highly recommended: http://www.ntrnet.net/~jmknoble/software/X11-ssh-askpass/index.html
If it is pre-installed, it will find it during the ./configure (tested)
Would you like a "openSSH will utilize ssh-askpass (an X11 ..) and PAM if they are already installed." in the depends section.
comment:9 by , 23 years ago
this appears to be done now. If there are any more problems, we'll reopen the bug. Larry, can you change the status to Resolve | Fixed please.
comment:10 by , 23 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
comment:11 by , 23 years ago
| Milestone: | → 1.0 |
|---|
comment:12 by , 23 years ago
| Resolution: | fixed |
|---|---|
| Status: | closed → reopened |
| Summary: | openssh-3.1p1 → openssh-3.2.2p1 |
I wondered how we got so far behind so quickly but they jumped from openssh-3.1p1 to openssh-3.2.2p1.
comment:13 by , 23 years ago
WARNING: I've just been trying this out and it refuses to compile using md5-passwords so we need to find out why before updating the book.
comment:14 by , 23 years ago
| Owner: | changed from to |
|---|---|
| Status: | reopened → new |
comment:15 by , 23 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
comment:16 by , 23 years ago
| Resolution: | fixed |
|---|---|
| Status: | closed → reopened |
| Summary: | openssh-3.2.2p1 → openssh-3.2.3 |
Version release
comment:17 by , 23 years ago
| Resolution: | → fixed |
|---|---|
| Status: | reopened → closed |
comment:18 by , 23 years ago
| Resolution: | fixed |
|---|---|
| Status: | closed → reopened |
| Summary: | openssh-3.2.3 → openssh-3.3p1 |
version release
comment:19 by , 23 years ago
| Resolution: | → fixed |
|---|---|
| Status: | reopened → closed |
comment:20 by , 23 years ago
| Resolution: | fixed |
|---|---|
| Status: | closed → reopened |
| Summary: | openssh-3.3p1 → openssh-3.4p1 |
Version update - Security fix.
comment:21 by , 23 years ago
| Resolution: | → fixed |
|---|---|
| Status: | reopened → closed |
There is an annoying bug in the install script so that when it checks to see if you created the sshd user, it prints the test line which ends with Echo -> you have not created the user. It looks like a warning message and we will probably get questions on this.
comment:22 by , 22 years ago
| Resolution: | fixed |
|---|---|
| Status: | closed → reopened |
| Summary: | openssh-3.4p1 → openssh-3.5p1 |
Version increment (3.5p1)
comment:23 by , 22 years ago
| Resolution: | → fixed |
|---|---|
| Status: | reopened → closed |
comment:24 by , 22 years ago
| Resolution: | fixed |
|---|---|
| Status: | closed → reopened |
| Summary: | openssh-3.5p1 → openssh-3.6p1 |
Version increment (3.6p1)
comment:25 by , 22 years ago
To link statically to openssl , use the following (can be added as an option to the compile instructions):
cp configure configure.orig && sed -e "s:-lcrypto:/usr/lib/libcrypto.a:g" configure.orig > configure
comment:26 by , 22 years ago
| Summary: | openssh-3.6p1 → openssh-3.6.1p1 |
|---|
Version increment (3.6.1p1); That was fast..
comment:27 by , 22 years ago
updated to 3.6.1p1.
I haven't closed the bug because of Tush's comment #17 - it's Larry's call on that one.
comment:28 by , 22 years ago
| Resolution: | → fixed |
|---|---|
| Status: | reopened → closed |
comment:29 by , 22 years ago
| Resolution: | fixed |
|---|---|
| Status: | closed → reopened |
| Summary: | openssh-3.6.1p1 → openssh-3.6.1p2 |
Version increment (3.6.1p2)
comment:30 by , 22 years ago
| Resolution: | → fixed |
|---|---|
| Status: | reopened → closed |
updating bug version to 3.1p1 (note that previous versions were the subject of a security advisory last week).
By the way, here are my openssh install instructions in case it helps with writing them
./configure --prefix=/usr --libexecdir=/usr/sbin --sysconfdir=/etc/ssh &&
(mention possiblity of using --with-md5-passwords if you've used them
make && make install
Note that the install routine is clever enough NOT to overwrite the keys if you already have them meaning it's safe to upgrade this way.
Explanation: --sysconfdir=/etc/ssh ; Normal reasoning
--libexecdir=/usr/sbin ; ssh-askpass is an X11 utility which ssh thinks should go in /usr/libexec. It'll only be compiled if you have X installed (I think - check this) but should go in /usr/sbin anyways not /usr/libexec
Configuration: ssh itself doesn't really need configuration
/etc/ssh_config can be done on a per-user basis but can be overriden on the command line anyways so it isn't usually necessary to set it up.
sshd script: cat > /etc/init.d/sshd << EOF #!/bin/sh # Begin /etc/init.d/sshd
# # Include the functions declared in the /etc/init.d/functions file #
source /etc/init.d/functions
case "$1" in
esac
# End /etc/init.d/sshd EOF chmod 755 /etc/init.d/sshd cd /etc ln -s ../init.d/sshd rc0.d/K750sshd ln -s ../init.d/sshd rc1.d/K750sshd ln -s ../init.d/sshd rc2.d/K750sshd ln -s ../init.d/sshd rc3.d/S250sshd ln -s ../init.d/sshd rc4.d/S250sshd ln -s ../init.d/sshd rc5.d/S250sshd ln -s ../init.d/sshd rc6.d/K750sshd
==> Also, user must check /etc/ssh/sshd_config file. You may wish to restrict access; e.g. root access or by ip address. LIST OF POSSIBLE SETTINGS TO EXAMINE: ListenAddress 0.0.0.0 PermitRootLogin yes X11Forwarding no #PrintLastLog no
More info on configuration can be found in man sshd, ssh and ssh-agent.
PROVIDES: scp, sftp, ssh, ssh-add, ssh-agent, ssh-keygen, ssh-keyscan, sftp-server, sshd
Can also provide ssh-askpass if X is installed