OPENSSH Vulnerabiltiy

[macubergeek]

According to security advisories we should all be upgrading to the latest version of Openssh v. 3.3 immediately, please refer to
http://marc.theaimsgroup.com/?l=open...7569424297&w=2
--and--
http://www.eckes.org/article.php?sid=73
--and--
http://www.citi.umich.edu/u/provos/ssh/privsep.html

compile instructions are:

To extract and install this release on your OpenBSD system use:

# cd /usr/src/usr.bin
# tar xvfz .../openssh-x.y.tgz
# cd ssh
# make obj
# make cleandir
# make depend
# make
# make install
# cp ssh_config sshd_config /etc/ssh

QUESTION:
when I do make obj I get the error:
Makefile:3: *** missing separator. Stop.

When I look at the Makefile, on line 3 it says:
.include <bsd.own.mk>

Does anyone know how I should modify the Makefile to get rid of this error?

[Novajo]

I don't understand what you are doing, let alone what the problem is. However, you can compile everything with no problem at all by downloading openssh-3.3p1.tar.gz from their website and then compiling it according to stepwise's article:

http://www.stepwise.com/Articles/Wor...-12-17.01.html

(If you have already compiled OpenSSH yourself, you just need to compile OpenSSH; no need to compile SSL and tcpwrappers. If not, do everything by the book).

Privileges separation is on by default, you need to create a user in netinfo with the name sshd. The best way to do that is to duplicate daemon and set its userid to one that is not used yet. Make it part of group daemon.
You also need to create a directory /var/empty. This is all explained in README.privsep (or something like that).
Then, and only then, restart your "Application Sharing: allow remote login" in system prefs (uncheck, then check). If it remains gray, you have a configuration problem. Check /var/log/system.log.

I have been using it since this morning.

[macubergeek]

Yeh I forgot about that article...I downloaded the package from a different place...once I retraced my steps on that article...everything seems to be going ok.
thanks for pointing me in the right direction.

[bluehz]

I updated to the new openssh, then followed the directions in OpenSSH/README.privsep as below. I am now unable to activate SSH - error is
"Bad owner or mode on /var/empty"
I checked and /var/empty has owner sshd, group sshd, and contains no files as instructed. Whats the problem here?

Code:

You should do something like the following to prepare the privsep 
preauth environment:

        # mkdir /var/empty
        # chown root:sys /var/empty
        # chmod 755 /var/empty
        # groupadd sshd
        # useradd -g sshd -c 'sshd privsep' -d /var/empty -s /bin/false sshd

/var/empty should not contain any files.

Also - I noticed the config info below in README.privsep only AFTER recompiling and installing OpenSSH. Do you think I need to go back and reconfig/compile with the config options listed below or are the defaults ok?

Code:

configure supports the following options to change the default
privsep user and chroot directory:

  --with-privsep-path=xxx Path for privilege separation chroot
  --with-privsep-user=user Specify non-privileged user for privilege separation

[Novajo]

My /var/empty looks like this:

drwx------ 2 root sys 264 Jun 25 10:16 /var/empty/

and it seems to work (dont;' confuse the owner/group of directory) although I don't see a process running as user sshd once connected. (Should I?)

[bluehz]

Changing to root:sys worked - sshd started right up. Doesn't really make sense after you go to all the trouble of creating the sshd user and sshd group. You would assume (and by default thats how they were created) that the empty dir would have user:group sshd:sshd.

Oh well - it works! Just hope I haven't somehow now opened an even larger security whole...hahaha

Thanks...

ps - just looked at code above and noticed"

chown root:sys /var/empty

so that IS correct. I must have omitted that step when installing.

[rusty]

Sorry if I am diverting the focus of this thread at all.

I am trying to build the latest OpenSSH (3.4p1) and after churning away for ahwile, configure fails:

checking whether OpenSSL's headers match the library... no
configure: error: Your OpenSSL headers do not match your library



Does this mean anything to anyone?


Rusty

[bluehz]

Ummmmm - sorry can't help you there, my ssl must be installed and working properly as the build went fine for me. Are you sure your SSL is working properly - not that I know how to tell you to check....

[rusty]

Quote: I am trying to build the latest OpenSSH (3.4p1) and after churning away for ahwile, configure fails: checking whether OpenSSL's headers match the library... no configure: error: Your OpenSSL headers do not match your library

I found the answer to my own problem. Stepwise notes on this page that:

Apple also includes [OpenSSL] with Mac OS X, and with the 10.1.x however the headers are missing. Some people have just installed the complete openssl distribution again, but this breaks the pre-binding.

...and describes an easy way to copy the headers from the same version of the source that Apple ships.

After taking care of this, OpenSSH 3.4p1 configure did not fail.


Rusty

[sao]

Now is a good time to upgrade to OpenSSH 3.4 (lots of security and bug fixes), if anybody needs it there is a good set of instructions on how to upgrade here:

http://homepage.mac.com/~rantweasel/...h-upgrade.html


and to keep monitoring for status upgrades the OpenSSH page at:

http://www.openssh.org/


Cheers...

[bluehz]

Thx for the tutorial Sao - wish I had that this morning when I was building.

[macubergeek]

hey I installed the latest ssh 3.4p1 and everything went ok following the Stepwise instructions, but I left ssl where it was and didn't upgrade it. Does anyone see any problem with that?

[sao]

macubergeek,

What's the result of : % ssh -V ?

Cheers...

[macubergeek]

I applied the latest Apple security patch
jamesk @ /Users/jamesk@HOME-->ssh -V
OpenSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL 0x0090602f

[sao]

macubergeek,

Yes, you are.

Cheers...