chroot + ssh concerns

Lev Lvovsky lists1 at
Thu Jan 1 05:09:19 EST 2004

Ben, thanks for the help so far - replies below.

On Dec 30, 2003, at 6:21 PM, Ben Lindstrom wrote:
> <shrug> I can't justify anything not knowing your environment, but for 
> me
> custom OpenSSH (or any other package) is a PITA to maintain internal, 
> and
> when you have problems people tend to shy away from helping or require 
> you
> to prove it with clean code.

very true.

specifically we're looking to create a software distribution system 
that works by way of a central "push" server, and cron jobs running on 
the destination servers which scan a directory where packages and 
scripts are dumped off.  scponly or rssh would be ideal, but of course, 
that brings up security issues with those packages :\

> That right there is a solid reason to avoid patching with unapproved
> patches.

As I understand it, there was  a patch that was in the contrib section 
of the ssh source a while back - any reason why this was taken out?  
compatibility with platforms?

> Also, it is easier to verify small programs then patches to large code
> bases.  It is very much the case when the people auditing the code has 
> not
> spent enough time understand the project, and OpenSSH is a lot of code 
> to
> audit and understand what affects a patch may have on it.

No doubt.  Initially I was averse to the patching concept mainly 
because of the need to roll our own packages (as opposed to those 
provided by the distro) - seeing however, that the ssh contrib 
directory provides scripts to build the packages, patching and rolling 
them wouldn't be a problem.  Now my main issue is if/when a 
vulnerability gets announced, we're at the mercy of the patch 

thanks for your advice!

More information about the openssh-unix-dev mailing list