Full FreeBSD patchset

Mon Aug 5 08:02:03 EST 2002

On 26 Jun 2002, Dag-Erling Smorgrav wrote:

> Attached are the full FreeBSD patches for OpenSSH-3.3p1, including
> privsep support for PAM.  It is not quite complete but works well
> enough for authentication.  Here's a short review of our changes:
>
> 0) VersionAddendum
>
>    The SSH protocol allows for a human-readable version string of up
>    to 40 characters to be appended to the protocol version string.
>    FreeBSD takes advantage of this to include a date indicating the
>    "patch level", so people can easily determine whether their system
>    is vulnerable when an OpenSSH advisory goes out.  Some people,
>    however, dislike advertising their patch level in the protocol
>    handshake, so we've added a VersionAddendum configuration variable
>    to allow them to change or disable it.
>

This has been rejected more than then I can count.

> 1) Modified server-side defaults
>
>    We've modified some configuration defaults in sshd:
>
>       - For protocol version 2, we don't load RSA host keys by
>         default.  If both RSA and DSA keys are present, we prefer DSA
>         to RSA.
>

I don't know about everyone else's view.  But I don't like this.  You are
forcing policy that should not be forced.  Users make policy.  Not
software.  And as an admin at my work my policy is RSA over DSA.  Mainly
because it is established and well known.  DSA does not have a long enough
track record.  However, I'd never force anyone to use RSA over DSA based
my company's beliefs.

>       - LoginGraceTime defaults to 120 seconds instead of 600.
>

This I could agree with.  10 minutes is a bit long.

>       - PermitRootLogin defaults to "no".
>
>       - X11Forwarding defaults to "yes" (it's a threat to the client,
>         not to the server.)
>
>       - Unless the config file says otherwise, we automatically enable
>         Kerberos support if an appropriate keytab is present.
>

I don't like automaticaly enabled things.  Things should be ON or OFF.  We
just got done removing something sorta like this.  To do so otherwise is
damn confusing to the person admining the box.=)

>       - PAMAuthenticationViaKbdInt defaults to "yes".
>
> 2) Modified client-side defaults
>
>    We've modified some configuration defaults in ssh:
>
>       - For protocol version 2, if both RSA and DSA keys are present,
>         we prefer DSA to RSA.
>
>       - CheckHostIP defaults to "no".
>
I don't agree.

> 3) Canonic host names
>
>    We've added code to ssh.c to canonicize the target host name after
>    reading options but before trying to connect.  This eliminates the
>    usual problem with duplicate known_hosts entries.
>
> 4) OPIE
>
>    We've added support for using OPIE as a drop-in replacement for
>    S/Key.
>
> 5) PAM
>
>    We use our own PAM code, which wraps PAM in a KbdintDevice and
>    works with privsep, instead of OpenSSH's own PAM code.
>

I could have swore we agree this code should be merged into one place for
PAM code.  Having a seperate file is wrong.  Plus I could have swore the
agreement was to move to 2-clause.

No other OS group sends a patch with such broad affect.  I don't see
why FreeBSD should be favorated.  It make it hard to decide what we want
and don't want.  It also makes it unlike that any of the patch will be
included because it requires us to pick it apart.  Which I rarely happens.

- Ben