From owner-freebsd-security  Thu Jan 25  8:33:13 2001
Delivered-To: freebsd-security@freebsd.org
Received: from hub.lovett.com (hub.lovett.com [216.60.121.161])
	by hub.freebsd.org (Postfix) with ESMTP
	id 220CD37B6A7; Thu, 25 Jan 2001 08:32:56 -0800 (PST)
Received: from ade by hub.lovett.com with local (Exim 3.20 #1)
	id 14LpKR-000NcE-00; Thu, 25 Jan 2001 10:32:55 -0600
Date: Thu, 25 Jan 2001 10:32:55 -0600
From: Ade Lovett <ade@FreeBSD.org>
To: Kris Kennaway <kris@FreeBSD.ORG>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: OpenSSH b0rked (was RE: Problems with IPFW patch)
Message-ID: <20010125103255.A78404@FreeBSD.org>
References: <NDBBJJFIKLHBJCFDIOKGEEKHCAAA.kupek@earthlink.net> <FDEEKLDJMPFBCBKOEEINCEIGCKAA.scott@link-net.com> <20010124230626.A49802@citusc17.usc.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20010124230626.A49802@citusc17.usc.edu>; from kris@FreeBSD.ORG on Wed, Jan 24, 2001 at 11:06:26PM -0800
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Wed, Jan 24, 2001 at 11:06:26PM -0800, Kris Kennaway wrote:
> On Wed, Jan 24, 2001 at 07:09:32PM -0800, Scott Raymond wrote:
> > Oh, crap.  That's EXACTLY what was happening.
> > 
> > Looks like it's time for another compile.  Duh.
> 
> No, it's a configuration directive.

Of course, chucking this out:
	fatal: ConnectionsPerPeriod has been deprecated

and then aborting violates POLA.  If it's been deprecated, just ignore
it for a while, but don't stop functioning because of a "dead" directive.
Got bit this morning by that (our ssh/sshd config's are somewhat different
from 'normal', and a later experiment with merge didn't remove the
offending line, either.  Thank heavens for serial consoles.

The approach here was not thought through at all, especially with:

  uxb 22# grep -i connectionsperperiod /usr/src/UPDATING
  uxb 23#

on a fully up-to-date RELENG_4 src/ tree.

I would ask, that in -STABLE at least, the fatal error be backed
out to a warning, at least for a few months (with sshd ignoring the
directive, and continuing to run), and then only move to a fatal
error + die.

-aDe

-- 
Ade Lovett, Austin, TX.			ade@FreeBSD.org
FreeBSD: The Power to Serve		http://www.FreeBSD.org/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message