chroot + ssh concerns

Scott Burch scott.burch at camberwind.com
Thu Jan 1 05:25:24 EST 2004 

Lev,

Have you considered using cfengine? Take a look at the following
article, which discusses using cfengine and a database to maintain
software/patches across multiple UNIX platforms, etc.

http://www.usenix.org/publications/library/proceedings/lisa2000/full_papers/ressman/ressman.pdf

-Scott

On Wed, 2003-12-31 at 12:09, Lev Lvovsky wrote:
> Ben, thanks for the help so far - replies below.
> 
> On Dec 30, 2003, at 6:21 PM, Ben Lindstrom wrote:
> > <shrug> I can't justify anything not knowing your environment, but for 
> > me
> > custom OpenSSH (or any other package) is a PITA to maintain internal, 
> > and
> > when you have problems people tend to shy away from helping or require 
> > you
> > to prove it with clean code.
> 
> very true.
> 
> specifically we're looking to create a software distribution system 
> that works by way of a central "push" server, and cron jobs running on 
> the destination servers which scan a directory where packages and 
> scripts are dumped off.  scponly or rssh would be ideal, but of course, 
> that brings up security issues with those packages :\
> 
> > That right there is a solid reason to avoid patching with unapproved
> > patches.
> 
> As I understand it, there was  a patch that was in the contrib section 
> of the ssh source a while back - any reason why this was taken out?  
> compatibility with platforms?
> 
> > Also, it is easier to verify small programs then patches to large code
> > bases.  It is very much the case when the people auditing the code has 
> > not
> > spent enough time understand the project, and OpenSSH is a lot of code 
> > to
> > audit and understand what affects a patch may have on it.
> 
> No doubt.  Initially I was averse to the patching concept mainly 
> because of the need to roll our own packages (as opposed to those 
> provided by the distro) - seeing however, that the ssh contrib 
> directory provides scripts to build the packages, patching and rolling 
> them wouldn't be a problem.  Now my main issue is if/when a 
> vulnerability gets announced, we're at the mercy of the patch 
> developer.
> 
> thanks for your advice!
> -lev
> 
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
-- 
Scott Burch <scott.burch at camberwind.com>

More information about the openssh-unix-dev mailing list