[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-users] SSH Vulnerabilities and Suggested Fixes (from UK2RAQ)
- Subject: [cobalt-users] SSH Vulnerabilities and Suggested Fixes (from UK2RAQ)
- From: "fastmedia" <inc@xxxxxxxxxxxxx>
- Date: Sat Feb 10 18:57:04 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
> How do we fix this one though?
Hi Andy & all.
Right. I'm going to try replying to this for the 2nd time. My
browser managed to crash 1/2 way through my 1/st reply :|
First off, I'd like to explain why I've posted about this problem
twice. I'm as concerned about this problem as the Bind problem, as
while my understanding of the vulnerability is that it's harder to
expolit, SSH is not part of the Cobalt OS [1], and so we can't expect
a patch from Cobalt to fix this.
Anyway, down to business ...
a) The 'Easy' fix.
SSH has 2 protocol versions, cunningly called '1' and '2'. Only
protocol 1 is vulnerable to this exploit, so a simple way of securing
your system is to disable protocol 1. You can do this by editing the
sshd config file, '/etc/ssh/sshd_config' (you'll need a root shell to
do this). If you've still got the default config file, you'll find
line 4 reads :
#Protocol 2,1
You need to change it to read :
Protocol 2
Now save the file and restart sshd, via the '/etc/rc.d/init.d/ssh'
script.
Important Note: Before you upgrade check that your SSH client (be it
Vandyke, PuTTY or whatever you use) supports SSH protocol 2. Many
do, but some still don't.
b) The Upgrade Fix.
This is how I've fixed it, but as usual, it depends on how
comfortable messing about with your box you are as to which one you
want to try. The vulnerability has been fixed in OpenSSH 2.3.0, so
if you upgrade to this you'll be safe. First of all, you need to
upgrade openssl (a library that OpenSSH uses). You can do this with
the command:
rpm -U ftp://ftp.plig.org/pub/OpenBSD/OpenSSH/portable/rpm/openssl-
0.9.5a-3.i386.rpm
Now, you need to upgrade OpenSSH itself :
rpm -U --nodeps
ftp://ftp.plig.org/pub/OpenBSD/OpenSSH/portable/rpm/openssh-2.3.0p1-
1.i386.rpm
rpm -U --nodeps
ftp://ftp.plig.org/pub/OpenBSD/OpenSSH/portable/rpm/openssh-server-
2.3.0p1-1.i386.rpm
(both commands should by typed all on one line, even if EGroups
insists on wrapping them in this posting. Note also, that these
files are being pulled from the UK mirror of the OpenSSH project -
nothing to do with me !)
The 'nodeps' override seems to be needed, as otherwise, you'll get
the error :
error: failed dependencies:
rpmlib(VersionedDependencies) <= 3.0.3-1 is needed by openssh-
server-2.3.0p1-1
As far as I can make out, rpmlib is part of the rpm package, of which
version 3.0.2 is installed on the Raq (which is, of course < the
3.0.3 it's requesting). So you should be safe to use the '--nodeps'
to override this (it could be the way the Raq's packages are set up,
I'm note sure)
The script should restart the SSH daemon as part of the set up. If
you're paranoid (that's good!) and want to check everything went
o.k., you can check by typing 'sshd -d' as root. It'll end in an
error is ssh is already running, but you should see :
debug1: sshd version OpenSSH_2.3.0p1
output as the top line. Note the 2.3.0 means the upgrade went fine !
Well, I think that covers everything. I've tried to make the
instructions clear and easy to follow. I'd advise that you test your
SSH setup by attempting a new connection before you log out.
All the best,
John
[1] At least I couldn't find it in
ftp://ftp.cobaltnet.com/pub/products/raq3/RPMS/
UK2Raq.com Mailing list
To unsubscribe from this group, send an email to:
raq-unsubscribe@xxxxxxxxxxx