Le Mardi 2 Juillet 2002 18:20, Nathan Angelacos a écrit : > On 1 Jul 2002 at 22:38, Greg Morgan wrote: > >I believe you need to correct your web site. It says that you changed > >the location of ssh_config in the packages. I believe there are two > >configuration files with one character different, a d. > >ssh.lrp contains /etc/ssh/ssh_config. > >sshd.lrp contains /etc/ssh/sshd_config. > > Thanks for your comments, Greg. > Yes, there are two configuration files. Jacques' packaging has: > > sshd.lrp containing > /etc/ssh/ssh_config > /etc/ssh/sshd_config > > ssh.lrp does not contain any /etc/ssh/*_config files > > These packages move only the /etc/ssh/ssh_config to ssh.lrp, and leave > /etc/ssh/sshd_config in sshd.lrp > > My thinking was the config file should go with the program. I'm willing to > have my thinking corrected, though. (Or is it just that the web page can > have a better explanation?) > There was an explanation at the time I created the packages but honnestly I just cannot remember it :-)
> Brief answer: > Yes, privilege separation is extra protection (against future attacks). > No, its not necessary to go through creating a new user if you disable > privilege separation in sshd_config. > <snip> > To answer your question "is it necessary to go through this?" for deployed > LEAF boxes, I'd probably be inclined to install the 3.4 OpenSSH, disable > privilege separation in sshd_config, and go on. That should be a simple > upgrade. > > The question (for me) is what about new LEAF installations and what about > the future? One thing I really like about Bering is that Jacques is > trying to stay close to "standard." > > The options that I see for ssh*.lrp are: > > - compile as default, create sshd user and group > - compile with priviledge separation, but use "nobody" for chroot jail > - compile without priviledge separation enabled > > > At this point, a default compile of OpenSSH will use privilege separation > with the sshd user. For new LEAF installations/releases, do we want to > deviate from the (new) OpenSSH standard, or accomodate it and move on? > I have a clear position on this: we should stick to the new default openssh config which implies privilege separation an therefore the creation of a sshd user and group (Debian does this, Mandrake as well) I will update Bering accordingly for the final release and update my openssh package suite accordingly. Jacques ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel
