Re: Portable openssh.
From: Nico Kadel-Garcia (nkadel_at_comcast.net)
Date: 10/05/03
- Previous message: ynotssor: "Re: Securing the Llinux OS"
- In reply to: Volker Birk: "Re: Portable openssh."
- Next in thread: Volker Birk: "Re: Portable openssh."
- Reply: Volker Birk: "Re: Portable openssh."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Sat, 04 Oct 2003 18:27:10 -0400
Volker Birk wrote:
> In comp.os.linux.security Nico Kadel-Garcia <nkadel@comcast.net> wrote:
>
>>My ghod, it *IS* Peter Breuer! It must be. No one else gives such
>>useless, snippy answers with so little content.
>
>
> Funny - WTF is "Peter Breuer"? *Asking Google* Shell I post with
> my GnuPG signature for you? ;-)
He's a guy who snaps off one-liner answers to newbie questions claiming
lots of knowledge, which translate to "RTFM" or "no one would ever need
to do that". He's not nice, and not helpful. You've actually shown far
more comprehension of the material elsewhere, so I'll take the Peter
Breuer claim back.
Please note, since we're posting in comp.os.linux.security: all a PGP
key proves is that you have the same key as someone who used it
elsewhere. It's next to useless for proving you're *NOT* someone else,
unless someone you trust signs each key and thus vouches for the
person's identity. But lots of people have signed PGP keys for aliases.
>>Read back to my reply. I explained how and why RedHat rolls back
>>security patches to older versions of software in older OS releases to
>>keep from breaking old setups with new features or configuration
>>changes.
>
>
> Because they're not translating the config files into the new syntax
> if that is needed?
Because this process is extremely difficult to do reliably for an
automated procedure. Examples include sites that use alternative SSH
ports, and thus you'd have to find and auto-edit all of their
configuration files.
Bind and apache and NTP are almost as bad with local subtleties embedded
into the configurations that really need hand-holding to update.
Configuration testing these things is *work*.
>>OpenSSH is a perfect example, because old and new sshd_config
>>setups *will not* work with other versions of the software. And there's
>>nothing quite like upgrading sshd over an SSH session and blowing away
>>your daemon because of configuration mismatch. *Fortunately*, the RedHat
>>init scripts seem to only kill the master daemon, not the client session
>>you're connected over, but if you lose that client session you're dead
>>meat and have to login at the console.
>
>
> Updating the deamon with which you're connected leads into the problem
> to not remove your access to the box, of course.
Yup. I've literally faced this problem with machines across the coast,
doing security patches of tools like libc, glibc, kernels, SSH and
OpenSSH, etc.
> What exactly was your point? BTW, if you don't want to read my postings,
> why not adding me to your killfile?
As long as someone at least has *something* useful to say, which you
seem to (I took back the Peter Breuer shot!), I'd rather not. I prefer
to confront or correct errors than leave them unnoticed: it's why I
submit software patches....
- Previous message: ynotssor: "Re: Securing the Llinux OS"
- In reply to: Volker Birk: "Re: Portable openssh."
- Next in thread: Volker Birk: "Re: Portable openssh."
- Reply: Volker Birk: "Re: Portable openssh."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
