I'm collecting all my replies to this, since it's getting to be
extremely *not* about macppc development and into the depths of
crypto/security arguments.

If folks have more to say, perhaps we should take it to private email.

On Thu, Dec 16, 1999 at 09:54:23PM +0000, David Brownlee wrote:
> On Thu, 16 Dec 1999, gabriel rosenkoetter wrote:
> > Bah... ssh builds clean, and installs itself outside of /usr/pkg
> > (unless you force it otherwise).  That, and I can make my own decisions
> > about RSAREF, etcetera. ;^>
> 	As you can in pkgsrc - I set 'USE_RSAREF2=NO', but then again
> 	I'm outside the US (currently :), and you can set PREFIX=/xxx
> 	to make pkgsrc install wherever you want.

Oh, I just meant that installing it from the source would (by default)
put it under /usr/local, meaning it wouldn't interfere with stuff that
you did install from pkgsrc.

As far as RSAREF2 goes, I can't do that, as I am in the US (more on
that in a bit).

> 	I used to try to keep up to date on many different packages, then
> 	found with pkgsrc I could install 'pkglint' and run 'lintpksrc -i'
> 	which would report all the out of date packages (Ok, so I cheated
> 	and wrote 'lintpksrc -i' in the first place, but it still leaves
> 	me much more time for other things)
> 
> 	For things that you really want to track up to the minute you can
> 	just modify your local pkgsrc entry (and even submit it back in a
> 	PR so everyone else can benefit - hint hint :)
> 
> 	Its particularly nice to know which version of anything you have
> 	installed via 'pkg_info'.

Erm, yeah, but then I have to keep up with the package
notifications... and I'd like to have the bugfix for an error in
something as big as apache or ssh when it comes out as opposed to when
it gets into the Ports tree (even if there is only a matter of hours
difference there). Further, I prefer to compile my own software for
security stuff, and maybe link it my own way (bind, for instance,
which I run in chroot jail... oh yeah, that's three daemons with ports
open, plus postfix makes four, but neither of those run as root).

I know what I have installed because I keep notes. :^> If it were
getting that overwhelming, I'd probably use depot or some such.

[OpenSSH port]
> 	I believe someone was looking at it, but the source was not
> 	available in a form that made this easy...

So I noticed. I'll have time after I'm done with this semester's
course work (next day or two's the limit on that) to see if I can coax
it into compilation (and I have a few OpenBSD machines knocking around
to lift the make files from).

> 	Those using USE_RSAREF2=NO in their /etc/mk.conf would never
> 	have had a vulnerable ssh. Those who were using rsaref just need
> 	to update to the latest source.

Last time I checked, the ssh.com folks hadn't fixed their RSAREF2
library.

On Thu, Dec 16, 1999 at 04:54:09PM -0500, Andrew Gillham wrote:
> US citizens pretty much have to use RSAREF2.

... till September 1999, presuming somebody's actually looking. ;^>

[I didn't know where mk.conf.example lived.]
> locate mk.conf should have found the example immediately.  Did you
> break your locate stuff?

No, I didn't ever bother to check, because the only time make
complained was in regard to ssh, which I installed from source instead
anyway. :^>

> What does OpenSSH use then, if it doesn't use RSAREF2?
>
> AFAIK OpenSSH uses OpenSSL, which uses RSAREF2, so how is it
> eliminating the problem?  (Or am I missing something?)

Sorry, I didn't explain that very clearly.

As I understand it, OpenSSH does use OpenSSL, which does use RSAREF2.
The RSAREF2 that's part of OpenSSL, however, is one audited by the
OpenBSD folks (for inclusion in OpenBSD), which means that it does not
contain the buffer overflows that are in the version against which
ssh-1.2.2* is linked.

Regardless of that point, OpenSSH is better because it handles root
privelege the right way, by keeping track of everything in one process
and blocking inappropriate calls, instead of by splitting the root-
priveleged routines off in a separate process from the user-priveleged
routines and figuring that's good enough (which it isn't for all the
obvious reasons that daemons running as root without proper bounds
checking are always scary). This is also why it's still better even
after the standard RSAREF2 libs are fixed, because the upshot of the
fight on bugtraq was that ssh-1.2.2x will see no fix for the privelege
handling bug because they only care about the ssh2 protocol as far as
new/large-scale development is concerned. Though there's no exploit
for the but that doesn't involve the bugs in RSAREF2, it's a
theoretical possibility that a buffer overflow somewhere else in the
ssh client or sshd code or in a library included could be exploited to
much the same effect.

       ~ g r @ eclipsed.net