From 5a5f47a9d72d5bd2172fd76d3f86a793d184acd2 Mon Sep 17 00:00:00 2001 From: "Ralf S. Engelschall" Date: Sat, 6 Jul 2002 11:51:19 +0000 Subject: [PATCH] After longer thinking and comparing what FreeBSD and NetBSD did, finally revert to the old state by kicking out the UsePrivilegeSeparation and Compression default value guessing because: 1. we are predestined to fail in general because we cannot do it correctly by just looking at the platform id. 2. UsePrivilegeSeparation is nice from a paranoid security point of view but OTOH really is too brand-new and internally limits or even breaks the OpenSSH functionality too dramatically. People who are paranoid enough and can live with this can feel free to change the "no" to a "yes" in their sshd_config easily. 3. it is nasty to have a package "openssh" shipping with totally different default configuration (using "UsePrivilegeSeparation yes" makes a large difference under run-time!) on different platforms. This is nasty and we really want a single default config independent of a platform. So, unless "UsePrivilegeSeparation yes" works equally on all our plaforms and without such dramatical restrictions (Compression, PAM, etc) and internal brokeness we will stay with the _default_ config of "UsePrivilegeSeparation no". Once Privilege Separation is really ready for a global deployment, we are happy to enable it by default again. --- openssh/openssh.spec | 32 ++------------------------------ openssh/sshd_config | 6 +++--- 2 files changed, 5 insertions(+), 33 deletions(-) diff --git a/openssh/openssh.spec b/openssh/openssh.spec index a835194054..a9b928bbda 100644 --- a/openssh/openssh.spec +++ b/openssh/openssh.spec @@ -47,7 +47,7 @@ Distribution: OpenPKG [REL] Group: Cryptography License: BSD Version: 3.4p1 -Release: 20020627 +Release: 20020706 # list of sources Source0: ftp://ftp.openssh.com/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz @@ -198,38 +198,10 @@ AutoReqProv: no -e 's;@l_musr@;%{l_musr};g' -e 's;@l_mgrp@;%{l_mgrp};g' \ %{SOURCE rc.openssh} $RPM_BUILD_ROOT%{l_prefix}/etc/rc.d/ - # determine best variant for ssh server configuration - l_cfg_useprivsep=yes - # (privsep broken on old Linux at all) - case "%{l_target}" in - *-linux2.0* ) l_cfg_useprivsep=no ;; - esac -%if "%{with_pam}" == "yes" - # (PAM broken with privsep on non-Linux) - case "%{l_target}" in - *-linux* ) ;; - * ) l_cfg_useprivsep=no ;; - esac -%endif - l_cfg_compression=yes - if [ ".$l_cfg_useprivsep" = .yes ]; then - # (compression broken with privsep on old Linux) - case "%{l_target}" in - *-linux2.2* ) l_cfg_compression=no ;; - esac - fi -%if "%{with_x11}" == "yes" - l_cfg_x11forwarding=yes -%else - l_cfg_x11forwarding=no -%endif - # install reasonable ssh server and client configuration files %{l_shtool} install -c -m 644 \ -e 's;@l_prefix@;%{l_prefix};g' \ - -e "s;@l_cfg_useprivsep@;${l_cfg_useprivsep};" \ - -e "s;@l_cfg_compression@;${l_cfg_compression};" \ - -e "s;@l_cfg_x11forwarding@;${l_cfg_x11forwarding};" \ + -e 's;@l_x11forwarding@;%{with_x11};' \ %{SOURCE sshd_config} $RPM_BUILD_ROOT%{l_prefix}/etc/openssh/ %{l_shtool} install -c -m 644 -e 's;@l_prefix@;%{l_prefix};g' \ %{SOURCE ssh_config} $RPM_BUILD_ROOT%{l_prefix}/etc/openssh/ diff --git a/openssh/sshd_config b/openssh/sshd_config index 66816c25b5..284ebe4519 100644 --- a/openssh/sshd_config +++ b/openssh/sshd_config @@ -28,10 +28,10 @@ StrictModes yes IgnoreRhosts yes KeepAlive yes GatewayPorts no -X11Forwarding @l_cfg_x11forwarding@ -Compression @l_cfg_compression@ +X11Forwarding @l_x11forwarding@ +Compression yes -UsePrivilegeSeparation @l_cfg_useprivsep@ +UsePrivilegeSeparation no LoginGraceTime 600 MaxStartups 10:30:60 PermitRootLogin yes