In message <p05101027b83341666efb@[165.227.249.20]>, Paul Hoffman writes:
>So, back to my original questions. If I want to (a) update to the 
>latest OpenSSH and (b) take steps to prevent the badness of going to 
>an older version if I update to, say, 1.5.2, what can I do? I can 
>make OpenSSH from pkgsrc and edit /etc/rc.d/sshd to point to 
>/usr/pkg, but how do I prevent a future update from overwriting 
>/etc/rc.d/sshd and pointing to /usr/sbin/sshd? Simply removing 
>/usr/sbin/sshd won't be enough, because the future update will 
>probably put in a new sshd. Is there some fancy permissions thing I 
>can do cause the future update to fail to change /etc/rc.d/sshd?
>
>This seems like a serious security issue, although it might be best 
>handled in connection with the folks who work on version installers.

I see this particular instance as more of an installer problem, since 
I'm reasonably certain that any new releases will have the fix 
installed.

		--Steve Bellovin, http://www.research.att.com/~smb
		Full text of "Firewalls" book now at http://www.wilyhacker.com