gabriel rosenkoetter writes:
> 
> Bah... ssh builds clean, and installs itself outside of /usr/pkg
> (unless you force it otherwise).  That, and I can make my own decisions
> about RSAREF, etcetera. ;^>

US citizens pretty much have to use RSAREF2.

> Anyway, I only recomended it as there had been no (visible) response
> to the original poster yet, I didn't know where the
> mk.conf.example was kept, and I knew it had worked on every NetBSD
> install I've done.

locate mk.conf should have found the example immediately.  Did you
break your locate stuff?

> For those who missed the bugtraq banter, there are some buffer
> overflows in the RSAREF2 library that ssh-1.2.2x uses, as well as an
> inherent security vulnerability in the way that ssh-1.2.13 and later
> have handled root priveleges that don't exist in OpenSSH because it
> was taken from the ssh-1.2.12 sources (which are still free for use,
> as opposed to those from after ssh.com incorporated) and updated to
> the current features of the ssh-1.2.x line. This means it doesn't have
> the RSAREF2 vulnerabilities (since it doesn't link against those
> libraries) nor the mishandling of root uid (since it doesn't split
> processes in ssh-1.2.13+'s misguided way), and does interact
> seamlessly with other ssh1-protocol daemons and clients.

What does OpenSSH use then, if it doesn't use RSAREF2?

AFAIK OpenSSH uses OpenSSL, which uses RSAREF2, so how is it
eliminating the problem?  (Or am I missing something?)

-Andrew
-- 
-----------------------------------------------------------------
Andrew Gillham                            | This space left blank
gillham@whirlpool.com                     | inadvertently.
I speak for myself, not for my employer.  | Contact the publisher.