Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 22 Jan 1996 09:15:10 -0700
From:      Nate Williams <nate@sri.MT.net>
To:        =?KOI8-R?Q?=E1=CE=C4=D2=C5=CA_=FE=C5=D2=CE=CF=D7?= (aka Andrey A. Chernov, Black Mage) <ache@astral.msk.su>
Cc:        Peter Wemm <peter@jhome.DIALix.COM>, security@freebsd.org
Subject:   Re: ssh /etc config files location..
Message-ID:  <199601221615.JAA21985@rocky.sri.MT.net>
In-Reply-To: <cFkCs0niw3@ache.dialup.ru>
References:  <Pine.BSF.3.91.960122165925.395E-100000@jhome.DIALix.COM> <cFkCs0niw3@ache.dialup.ru>
next in thread | previous in thread | raw e-mail | index | archive | help 
KOI8-R writes:
> In message <Pine.BSF.3.91.960122165925.395E-100000@jhome.DIALix.COM>
>     Peter Wemm writes:
> 
> >I am still somewhat disturbed with the location of some rather critical 
> >"per site" info from ssh in /usr/local/etc..  Specifically the ssh host 
> >secret keys, and the per-site config files.
> 
> >This is (IMHO) rather dangerous.  If you NFS mount /usr/local, this will 
> >screw you rather badly.

This bit me when I installed it on a Sun cluster.

> >There are precedents against this too..  gated keeps it's config files in 
> >/etc.
> 
> There are precedent _for_ this, tcp_wrapper uses /usr/local/etc.

Actually, we patch tcp_wrapper to have it use /usr/local.  It uses /etc
files by default.

> Using NFS for /usr/local/bin/{security_binaries} is big risk too
> because they can be changes (like config files).

Not on my systems, except by local folk who are trusted.  The reasons
for ssh are for outside attacks, and none of my NFS traffic goes over
the wire.

> I don't see the point to move security-related configs to /etc
> and _not_ to move security binaries from /usr/local.

Because not everyone has worries about NFS security.

> So there is two normal solutions:
> 1) Leave all as is in /usr/local, but not mount it over NFS
> 2) Move configs & binaries _both_ off /usr/local.

3) Leave the binaries on /usr/local and move config onto somewhere
that's not exported.

> I disagree with proposed solution (moving configs only to /etc).

I agree.

> >PS: IMHO, it was a mistake adding the BUILD_DEPENDS in wish and perl5. it 
> >build's fine without them.  It seems silly to require X11 to be installed 
> >in order to build the port..
> 
> It builds fine, but incomplete, namely:
> 
> ssh-askpass needs wish
> make-ssh-known-hosts needs perl5

Hmm, on all the machines I have built it on, I haven't use either one of
these.  What do they do?



Nate

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199601221615.JAA21985>