Date: Tue, 25 Jun 2002 02:27:30 -0400 (EDT)
From: EnGarde Secure Linux <security@guardiandigital.com>
To: engarde-security@guardiandigital.com, bugtraq@securityfocus.com
Subject: [ESA-20020625-015] openssh: introduce privilege separation into sshd
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
+------------------------------------------------------------------------+
| EnGarde Secure Linux Security Advisory June 25, 2002 |
| http://www.engardelinux.org/ ESA-20020625-015 |
| |
| Package: openssh |
| Summary: introduce privilege separation into sshd. |
+------------------------------------------------------------------------+
EnGarde Secure Linux is a secure distribution of Linux that features
improved access control, host and network intrusion detection, Web
based secure remote management, complete e-commerce using AllCommerce,
and integrated open source security tools.
OVERVIEW
- --------
Theo de Raadt announced the existence of an upcoming vulnerability in
the OpenSSH secure shell daemon. He also noted that versions of sshd
with a new feature called "privilege separation" were immune to the
attack (which he gave no details on). Thus we were required to
upgrade to OpenSSH 3.3p1, a major upgrade from versions we have shipped
in the past.
Below are some important notes for this update.
* If you have not edited your /etc/ssh/sshd_config then a new one
will be put in place which disables root logins over SSH. The
default behavior in EnGarde 1.0.1 was to permit root logins.
* Theo made it clear that this version does not fix the upcoming
vulnerability. Proper updates will be made available when the
issue is announced and fixed.
* The new privilege separation code has a few bugs interacting with
PAM and resource limits.
* A new user and group (sshd) will be added.
* This is a security update in addition to a major upgrade, so
please report any problems you have to us via the engarde-users
mailing list (or support@engardelinux.org for EnGarde Secure
Professional users).
For more information on privilege separation, please see:
http://www.citi.umich.edu/u/provos/ssh/privsep.html
The full text of Theo's announcement may be found at:
http://www.linuxsecurity.com/articles/cryptography_article-5185.html
SOLUTION
- --------
Users of the EnGarde Professional edition can use the Guardian Digital
Secure Network to update their systems automatically.
EnGarde Community users should upgrade to the most recent version
as outlined in this advisory. Updates may be obtained from:
ftp://ftp.engardelinux.org/pub/engarde/stable/updates/http://ftp.engardelinux.org/pub/engarde/stable/updates/
Before upgrading the package, the machine must either:
a) be booted into a "standard" kernel; or
b) have LIDS disabled.
To disable LIDS, execute the command:
# /sbin/lidsadm -S -- -LIDS_GLOBAL
To install the updated package, execute the command:
# rpm -Uvh file
You must now update the LIDS configuration by executing the command:
# /usr/sbin/config_lids.pl
To re-enable LIDS (if it was disabled), execute the command:
# /sbin/lidsadm -S -- +LIDS_GLOBAL
To verify the signatures of the updated packages, execute the command:
# rpm -Kv file
UPDATED PACKAGES
- ----------------
These updated packages are for EnGarde Secure Linux Community
Edition.
Source Packages:
SRPMS/openssh-3.3p1-1.0.20.src.rpm
MD5 Sum: 0f9e0d131692a49b29fa6af9221d9e35
Binary Packages:
i386/openssh-3.3p1-1.0.20.i386.rpm
MD5 Sum: d23e26a839a6a4db4de0096bffaef569
i386/openssh-clients-3.3p1-1.0.20.i386.rpm
MD5 Sum: bc0032917f4f4d2d350ab7069ff569cb
i386/openssh-server-3.3p1-1.0.20.i386.rpm
MD5 Sum: 2fbee870d2c12d3d6ed35ee5dc629fdf
i686/openssh-3.3p1-1.0.20.i686.rpm
MD5 Sum: 66ce0b136d443f58e670007ddfb3562c
i686/openssh-clients-3.3p1-1.0.20.i686.rpm
MD5 Sum: 78c0d016cff46e806da1f70c8fde8acf
i686/openssh-server-3.3p1-1.0.20.i686.rpm
MD5 Sum: 16c6e309892abe9a5a88e72846358a2f
REFERENCES
- ----------
Guardian Digital's public key:
http://ftp.engardelinux.org/pub/engarde/ENGARDE-GPG-KEY
OpenSSH's Official Web Site:
http://www.openssh.org/
Security Contact: security@guardiandigital.com
EnGarde Advisories: http://www.engardelinux.org/advisories.html
- --------------------------------------------------------------------------
$Id: ESA-20020625-015-openssh,v 1.2 2002/06/25 06:25:54 rwm Exp $
- --------------------------------------------------------------------------
Author: Ryan W. Maple, <ryan@guardiandigital.com>
Copyright 2002, Guardian Digital, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE9GA1jHD5cqd57fu0RAlcbAKCct6KNAUPUCEtPkn46/dqmaz6qBACcC7OP
1XkWqqpockiPSdKRqDXbjb8=
=3GQ8
-----END PGP SIGNATURE-----
