On Wed, Jan 14, 2004 at 06:38:39PM +1300, Volker Kuhlmann wrote:
> > In the case of OpenSSH, the support has existed for over two and half
> > years. See revision 1.77 of ssh/servconf.c[0].
> I'm not talking about the tcp keepalive option. I greped through the
> whole source of an approx May 03 vanilla release, and it did not find
> those new(!) keepalive options anywhere (those options which make ssh
> or sshd shove some null bytes over the encrypted channel).
I'm specifically talking about ClientAliveInterval. Look at CVS. I
gave you a URL proving my statement. I would tend to trust the original
CVS logs of OpenSSH over a random tarball on your machine. If you look
at the branch tags, this feature was added before OpenSSH 3.0 was
released.
> > Well, if we're talking about OpenSSH, you'd be crazy to be running any
> > version prior to the existence of the privilege separation
> > functionality, which came a good deal of time after the
> > ClientAliveInterval support was added.
> You missed the point that the last openssh version $vendor has
> published for their $distro may be an older one, but it sure does
> contain all security fixes of the last version. Vendors are not that
> stupid.
I'm well aware that vendors will backport security fixes where possible,
and, indeed, this is a useful and commendable practice in many cases.
However, the CVS logs indicate that ClientAliveInterval has been
supported since before security features (note: not fixes) such as
privilege seperation were added. We're talking about pre-OpenSSH 3.0
here. There will be very few vendors using a codebase this old to port
security fixes to.
It has even been suggested/rumoured that OpenSSH versions prior to the
point that privilege seperation was added had a fundamentally unfixable
security problem.
Cheers,
-mjg
--
Matthew Gregan |/
/| [EMAIL PROTECTED]
