chroot + ssh concerns
Lev Lvovsky
lists1 at sonous.com
Thu Jan 1 05:09:19 EST 2004
Ben, thanks for the help so far - replies below.
On Dec 30, 2003, at 6:21 PM, Ben Lindstrom wrote:
> <shrug> I can't justify anything not knowing your environment, but for
> me
> custom OpenSSH (or any other package) is a PITA to maintain internal,
> and
> when you have problems people tend to shy away from helping or require
> you
> to prove it with clean code.
very true.
specifically we're looking to create a software distribution system
that works by way of a central "push" server, and cron jobs running on
the destination servers which scan a directory where packages and
scripts are dumped off. scponly or rssh would be ideal, but of course,
that brings up security issues with those packages :\
> That right there is a solid reason to avoid patching with unapproved
> patches.
As I understand it, there was a patch that was in the contrib section
of the ssh source a while back - any reason why this was taken out?
compatibility with platforms?
> Also, it is easier to verify small programs then patches to large code
> bases. It is very much the case when the people auditing the code has
> not
> spent enough time understand the project, and OpenSSH is a lot of code
> to
> audit and understand what affects a patch may have on it.
No doubt. Initially I was averse to the patching concept mainly
because of the need to roll our own packages (as opposed to those
provided by the distro) - seeing however, that the ssh contrib
directory provides scripts to build the packages, patching and rolling
them wouldn't be a problem. Now my main issue is if/when a
vulnerability gets announced, we're at the mercy of the patch
developer.
thanks for your advice!
-lev
More information about the openssh-unix-dev
mailing list