chroot + ssh concerns

[Ben Lindstrom]

On Wed, 31 Dec 2003, Lev Lvovsky wrote:
> Ben, thanks for the help so far - replies below.
>
> On Dec 30, 2003, at 6:21 PM, Ben Lindstrom wrote:
[.. No one can you with auditing then you =) ..]

> > That right there is a solid reason to avoid patching with unapproved
> > patches.
>
> As I understand it, there was  a patch that was in the contrib section
> of the ssh source a while back - any reason why this was taken out?
> compatibility with platforms?
>

1. It was never upkept (It was always fixed after a release which of
course is to late to be useful =).

2. A correction in policy that is more in line with OpenBSD's policy of
"no patches or features not accepted in the mainstream tree will be
provided."


> > Also, it is easier to verify small programs then patches to large code
> > bases.  It is very much the case when the people auditing the code has
> > not
> > spent enough time understand the project, and OpenSSH is a lot of code
> > to
> > audit and understand what affects a patch may have on it.
>
> No doubt.  Initially I was averse to the patching concept mainly
> because of the need to roll our own packages (as opposed to those
> provided by the distro) - seeing however, that the ssh contrib
> directory provides scripts to build the packages, patching and rolling
> them wouldn't be a problem.  Now my main issue is if/when a
> vulnerability gets announced, we're at the mercy of the patch
> developer.
>

Depend on who your distro is.  Some groups are good at security and
others.. <shrug>  Are not.

This comes down to your security and adminstration policies.   And in some
respects how well you sleep at night.

Quite honestly if you can't trust your vendor to provide you with timely
security patches you can't trust your systems.

> thanks for your advice!
> -lev
>

Good luck.

- Ben
11 hours 18 minutes until we get to leave this horrible year and move to
the next horrible year.