Date: Mon, 22 Jan 1996 16:57:58 +0300 (MSK) From: =?KOI8-R?Q?=E1=CE=C4=D2=C5=CA_=FE=C5=D2=CE=CF=D7?= (aka Andrey A. Chernov, Black Mage) <ache@astral.msk.su> To: Peter Wemm <peter@jhome.DIALix.COM> Cc: ports@freebsd.org, security@freebsd.org Subject: Re: ssh /etc config files location.. Message-ID: <GDcVv0nyd6@ache.dialup.ru> In-Reply-To: <199601221259.UAA04035@jhome.DIALix.COM>; from Peter Wemm at Mon, 22 Jan 1996 20:59:21 %2B0800 References: <199601221259.UAA04035@jhome.DIALix.COM>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <199601221259.UAA04035@jhome.DIALix.COM> Peter Wemm writes: >I'm not complaining about this from a "security" point of view, I'm >complaining about this from a "functionality" point of view. Well, I accept this point of view. >I'm not worried so much about the config files, but I am worried about the >run-time data generated by sshd that is written to the etcdir, and I'm also >concerned about the critical public and private host keys. sshd_config and >ssh_config could stay in /usr/local/etc for all I care. :-) I remember, we plan to make /etc read-only, no runtime data should be written there, we need to choose another place, maybe /var/run.... So, I still disagree but the reason is different... >Exactly.. It "builds fine". It probes to see if the tools exist, and codes >in the exact pathnames if they are there, and puts in default pathnames >if they are not. It isn't acceptable for security tool, PREFIX can be != /usr/local in general case which can cause wrong version picked from /usr/local. So, I repeat my variant: >>In this case they need to be controlled >>via USE_* variables like other stuff in ssh Makefile. I.e. corresponding >>BUILD_DEPENDS must be ifdefed. >Why? If I dont have X11 installed on the target system (and NEVER will, >because it's a dialup box), and hence will not have wish, and ssh does not >need wish and will happily build without it, why should I be prevented >from building the non-X11 port? If you don't have X11, don't install ssh-askpass. If you install X11 - reinstall ssh port and setenv USE_WISH before. >As far as I can see, they are used like this: >if "wish" on $PATH > WISH=`location of wish` >else > WISH=/usr/local/bin/wish > echo "Wish not installed, ssh-askpass will not work." >fi >..... >echo "#! $WISH" > ssh-askpass >cat ssh-askpass.in >> ssh-askpass >If you build ssh and later install wish, the ssh-askpass will then work. >It's a runtime dependency, not a BUILD_DEPENDS. It isn't acceptable to guess path for security tools, path must be exact. Better way is reinstall ssh when additional soft will be available. The same words about perl5 & ssh-make-known-hosts, ether path must be known exactly or this script must not be installed. There is yet one problem related to this: building package (PLIST), it is unclear does it must have minimal ssh scripts set. >Hmm, I just re-ran the "make" to build the port. I can see that there >are a few things that "configure" has got wrong... >It should also use the system libgmp and the zlib port rather than >building it's own.... Ssh may depends of libgmp/zlib version used. Configure even not tries to find them in the system. -- Andrey A. Chernov : And I rest so composedly, /Now, in my bed, ache@astral.msk.su : That any beholder /Might fancy me dead - http://dt.demos.su/~ache : Might start at beholding me, /Thinking me dead. RELCOM Team,FreeBSD Team : E.A.Poe From "For Annie" 1849
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?GDcVv0nyd6>