From owner-freebsd-security  Mon Dec  3 18:47:21 2001
Delivered-To: freebsd-security@freebsd.org
Received: from web11601.mail.yahoo.com (web11601.mail.yahoo.com [216.136.172.53])
	by hub.freebsd.org (Postfix) with SMTP id 912C337B405
	for <security@freebsd.org>; Mon,  3 Dec 2001 18:47:18 -0800 (PST)
Message-ID: <20011204024718.74912.qmail@web11601.mail.yahoo.com>
Received: from [24.189.82.162] by web11601.mail.yahoo.com via HTTP; Mon, 03 Dec 2001 18:47:18 PST
Date: Mon, 3 Dec 2001 18:47:18 -0800 (PST)
From: Holtor <holtor@yahoo.com>
Subject: Re: OpenSSH Vulnerability
To: Chris Johnson <cjohnson@palomine.net>
Cc: security@freebsd.org
In-Reply-To: <20011203213708.A88390@palomine.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

It is enabled here:

/usr/src/crypto/openssh/sshd_config

Thats the only sshd_config in /usr/src besides the one
in picobsd so I figure its what should be used when
upgrading a system. I don't think mergemaster updates
anything in /etc/ssh because nothing exists in
/usr/src/etc/ssh -- probably am wrong though.

Just wondering also how people go about updating their
sshd_config. I know there was many changes when
freebsd
changed from openssh 2.3.0 to openssh 2.9.

Holt

--- Chris Johnson <cjohnson@palomine.net> wrote:
> On Mon, Dec 03, 2001 at 06:28:11PM -0800, Holtor
> wrote:
> > Is freebsd's SSH vulnerable to this?
> > 
> > http://www.securityfocus.com/archive/1/243430
> > 
> > The advisory says all versions prior to 2.9.9 are
> > vulnerable and I see sftp-server is on by default
> in
> > freebsd's sshd_config
> 
> How do you figure that? I see:
> 
> # Uncomment if you want to enable sftp
> #Subsystem      sftp    /usr/libexec/sftp-server
> 
> in my /etc/ssh/sshd_config file, and the sshd man
> page says, "By default no
> subsystems are defined."
> 
> Chris Johnson
> 

> ATTACHMENT part 2 application/pgp-signature 



__________________________________________________
Do You Yahoo!?
Buy the perfect holiday gifts at Yahoo! Shopping.
http://shopping.yahoo.com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message