On Thu, 16 Dec 1999, gabriel rosenkoetter wrote:

> There aren't many things I install this way, but I'd like to stay more
> up to date on daemons like ssh and apache (the only two which I run
> that open ports) than the pkgsrc stays. But I'm a freak. So people
> should definitely take Bill's advice over mine. :^>

No, you're not a freak.  Ssh and other security tools are the kind of
thing where I wouldn't feel comfortable getting it from a package, whether
pre-compiled or in a source package.  It's too important to risk it. 

Note that this is nothing against NetBSD's package maintainers.  I
generally avoid packages for SSH, even under MkLinux -- and with MkLinux,
I know the person who puts them together, and the main ftp site is under
the desk in my bedroom.  It's just too critical to take the chance that
someone might have tampered with something along the way, either
intentionally or unintentionally.

SSH is one of a few things that you really should compile from the
original source.  If you're particularly careful, you should even verify
the tarball's pgp signature.  :-)


> For those who missed the bugtraq banter, there are some buffer
> overflows in the RSAREF2 library that ssh-1.2.2x uses, as well as an
> inherent security vulnerability in the way that ssh-1.2.13 and later
> have handled root priveleges that don't exist in OpenSSH because it
> was taken from the ssh-1.2.12 sources (which are still free for use,
> as opposed to those from after ssh.com incorporated) and updated to
> the current features of the ssh-1.2.x line. This means it doesn't have
> the RSAREF2 vulnerabilities (since it doesn't link against those
> libraries) nor the mishandling of root uid (since it doesn't split
> processes in ssh-1.2.13+'s misguided way), and does interact
> seamlessly with other ssh1-protocol daemons and clients.

I'm pretty sure that using anything with a non-RSAREF version of the RSA
cipher is a patent violation in the U.S.  Might be problematic in that
regard.  Other than that, sounds really cool.


Later,
David