Colin Watson wrote: > > On Wed, Jun 26, 2002 at 03:39:49PM -0400, Reid Gilman wrote: > > 3.4 contains bugfixes for a few problems I don't completely understand > > but I believe that there was a bug that could allow root access. > > If you're running 3.3 with privilege separation enabled (as it is by > default), most remote root exploits become remote exploits of the sshd > user, which is considerably less serious. 3.4 added fixes for the real > problems rather than just bandaging over them.
[ snip ] This is what really, really confuses me !!! What is ``privilege separation'' ??? Where is it documented? (Not in the manpages, locally nor <http://www.openbsd.org/cgi-bin/man.cgi?query=ssh> nor <http://www.openbsd.org/cgi-bin/man.cgi?query=sshd>) . . . Worse, this is what I get on THREE (3) systems: # ssh -V OpenSSH_3.3 Debian 1:3.3p1-0.0woody1, SSH protocols 1.5/2.0, OpenSSL 0x0090603f # sshd -V sshd: option requires an argument -- V sshd version OpenSSH_3.3 Debian 1:3.3p1-0.0woody1 . . . # grep -i rivi /etc/ssh/ssh*_config # Please, notice that that last command returned to the prompt *WITHOUT* anything satisfying grep ;< What is this all about? How can I know that I am protected? What do you think? -- Best Regards, mds mds resource 888.250.3987 Dare to fix things before they break . . . Our capacity for understanding is inversely proportional to how much we think we know. The more I know, the more I know I don't know . . . -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]