From owner-freebsd-security  Fri Jan 26 14: 3:50 2001
Delivered-To: freebsd-security@freebsd.org
Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177])
	by hub.freebsd.org (Postfix) with ESMTP id 998F037B401
	for <freebsd-security@FreeBSD.ORG>; Fri, 26 Jan 2001 14:03:32 -0800 (PST)
Received: (from kris@localhost)
	by citusc17.usc.edu (8.11.1/8.11.1) id f0QM6to85709;
	Fri, 26 Jan 2001 14:06:55 -0800 (PST)
	(envelope-from kris)
Date: Fri, 26 Jan 2001 14:06:55 -0800
From: Kris Kennaway <kris@FreeBSD.ORG>
To: Matt Dillon <dillon@earth.backplane.com>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: OpenSSH b0rked (was RE: Problems with IPFW patch)
Message-ID: <20010126140655.A85658@citusc17.usc.edu>
References: <NDBBJJFIKLHBJCFDIOKGEEKHCAAA.kupek@earthlink.net> <FDEEKLDJMPFBCBKOEEINCEIGCKAA.scott@link-net.com> <20010124230626.A49802@citusc17.usc.edu> <20010125103255.A78404@FreeBSD.org> <200101262153.f0QLrLL40016@earth.backplane.com>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
	protocol="application/pgp-signature"; boundary="n8g4imXOkfNTN/H1"
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <200101262153.f0QLrLL40016@earth.backplane.com>; from dillon@earth.backplane.com on Fri, Jan 26, 2001 at 01:53:21PM -0800
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


--n8g4imXOkfNTN/H1
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable


On Fri, Jan 26, 2001 at 01:53:21PM -0800, Matt Dillon wrote:
> :I would ask, that in -STABLE at least, the fatal error be backed
> :out to a warning, at least for a few months (with sshd ignoring the
> :directive, and continuing to run), and then only move to a fatal
> :error + die.
> :
> :-aDe
> :
> :--=20
> :Ade Lovett, Austin, TX.			ade@FreeBSD.org
> :FreeBSD: The Power to Serve		http://www.FreeBSD.org/
>=20
>     I second this request.  It also happened when pam.conf/ssh changed.
>     Only the serial console saved me from a car trip to one of my
>     colocated machines.  Two such changes in a row for ssh is too much.

Well, *that* one was unavoidable; sshd now uses PAM by default. You
must have tried hard to not notice the upgrade requirement; it was
documented in the commit log, on the mailing lists, in
/usr/src/UPDATING and would have been caught by mergemaster if you had
run it after your build.

Kris

P.S. green is doing OpenSSH thesedays, he's the person you need to
speak to if you have suggestions.

--=20
NOTE: To fetch an updated copy of my GPG key which has not expired,
finger kris@FreeBSD.org

--n8g4imXOkfNTN/H1
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE6cfT+Wry0BWjoQKURAv7eAKC8OKS3HxkwnU6xnPQRso6pz6znGACgnsDt
qYbyQHFXfbth/kLER57EvrM=
=xlMS
-----END PGP SIGNATURE-----

--n8g4imXOkfNTN/H1--


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message