From owner-freebsd-security Wed Feb 28 21:44:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from d156h168.resnet.uconn.edu (d156h168.resnet.uconn.edu [137.99.156.168]) by hub.freebsd.org (Postfix) with SMTP id 8505137B719 for ; Wed, 28 Feb 2001 21:44:11 -0800 (PST) (envelope-from sirmoo@cowbert.2y.net) Received: (qmail 66353 invoked by alias); 1 Mar 2001 05:44:41 -0000 Received: from unknown (HELO sirmoobert) (137.99.158.30) by d156h168.resnet.uconn.edu with SMTP; 1 Mar 2001 05:44:41 -0000 Message-ID: <000801c0a212$90619840$1e9e6389@137.99.156.23> From: "Peter C. Lai" To: Subject: sshd weirdness Date: Thu, 1 Mar 2001 00:43:37 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I was upgrading my ports recently on a box that was upgraded from 4.1.1-Stable to 4.2-stable about a month ago, and saw the ssh 1.x port installed and in need of upgrade. Now, because i had built world with OpenSSH 2.3.0, i no longer needed the ssh 1.x port, so i deleted it using pkg_delete -f. The uptime on the box had been several weeks. I then remade a new kernel to incorporate some Alt-Q traffic shaper drivers. I didn't cvsup sources, nor did I remake world, I just patched my existing kernel source, and did a config, make depend, and make. I reboot the machine to use the new kernel, and 1. sshd is NOT running, because in rc.conf, sshd_enable is set to OFF for some reason, and 2. when i try to ssh in from a location on the same subnet, I am told the fingerprint has changed. Furthermore, because i deleted the ssh port, /usr/local/etc/rc.d/sshd.sh got removed, which is expected. I didn't know if "SSHD_ENABLED" was already set to "NO". My logs showed no new logins during the period of the kernel upgrades, and no other anomalous behavior has been detected. could my deleting the port have anything to do with OpenSSH starting? I checked /etc/ssh and all the keys have not been modified with a new timestamp. I have another box with locked down firewall in verbose logging on the same hub, and it did not detect any arp changes on the fully switched subnet (rapid arp shifts between 2 MACs is indicative of traffic sniffing and Man-in-middle attacks, since the man-in-middle must present himself as your router). this is puzzling... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message