+------------------------------------------------------------------------+
| EnGarde Secure Linux Security Advisory June 25, 2002 |
| http://www.engardelinux.org/ ESA-20020625-015 |
| |
| Package: openssh |
| Summary: introduce privilege separation into sshd. |
+------------------------------------------------------------------------+
EnGarde Secure Linux is a secure distribution of Linux that features
improved access control, host and network intrusion detection, Web
based secure remote management, complete e-commerce using AllCommerce,
and integrated open source security tools.
OVERVIEW
- --------
Theo de Raadt announced the existence of an upcoming vulnerability in
the OpenSSH secure shell daemon. He also noted that versions of sshd
with a new feature called "privilege separation" were immune to the
attack (which he gave no details on). Thus we were required to
upgrade to OpenSSH 3.3p1, a major upgrade from versions we have shipped
in the past.
Below are some important notes for this update.
* If you have not edited your /etc/ssh/sshd_config then a new one
will be put in place which disables root logins over SSH. The
default behavior in EnGarde 1.0.1 was to permit root logins.
* Theo made it clear that this version does not fix the upcoming
vulnerability. Proper updates will be made available when the
issue is announced and fixed.
* The new privilege separation code has a few bugs interacting with
PAM and resource limits.
* A new user and group (sshd) will be added.
* This is a security update in addition to a major upgrade, so
please report any problems you have to us via the engarde-users
mailing list (or support@engardelinux.org for EnGarde Secure
Professional users).
For more information on privilege separation, please see:
http://www.citi.umich.edu/u/provos/ssh/privsep.html
The full text of Theo's announcement may be found at:
http://www.linuxsecurity.com/articles/cryptography_article-5185.html
SOLUTION
- --------
Users of the EnGarde Professional edition can use the Guardian Digital
Secure Network to update their systems automatically.
EnGarde Community users should upgrade to the most recent version
as outlined in this advisory. Updates may be obtained from:
ftp://ftp.engardelinux.org/pub/engarde/stable/updates/
http://ftp.engardelinux.org/pub/engarde/stable/updates/
Before upgrading the package, the machine must either:
a) be booted into a "standard" kernel; or
b) have LIDS disabled.
To disable LIDS, execute the command:
# /sbin/lidsadm -S -- -LIDS_GLOBAL
To install the updated package, execute the command:
# rpm -Uvh file
You must now update the LIDS configuration by executing the command:
# /usr/sbin/config_lids.pl
To re-enable LIDS (if it was disabled), execute the command:
# /sbin/lidsadm -S -- +LIDS_GLOBAL
To verify the signatures of the updated packages, execute the command:
# rpm -Kv file
UPDATED PACKAGES
- ----------------
These updated packages are for EnGarde Secure Linux Community
Edition.
Source Packages:
SRPMS/openssh-3.3p1-1.0.20.src.rpm
MD5 Sum: 0f9e0d131692a49b29fa6af9221d9e35
Binary Packages:
i386/openssh-3.3p1-1.0.20.i386.rpm
MD5 Sum: d23e26a839a6a4db4de0096bffaef569
i386/openssh-clients-3.3p1-1.0.20.i386.rpm
MD5 Sum: bc0032917f4f4d2d350ab7069ff569cb
i386/openssh-server-3.3p1-1.0.20.i386.rpm
MD5 Sum: 2fbee870d2c12d3d6ed35ee5dc629fdf
i686/openssh-3.3p1-1.0.20.i686.rpm
MD5 Sum: 66ce0b136d443f58e670007ddfb3562c
i686/openssh-clients-3.3p1-1.0.20.i686.rpm
MD5 Sum: 78c0d016cff46e806da1f70c8fde8acf
i686/openssh-server-3.3p1-1.0.20.i686.rpm
MD5 Sum: 16c6e309892abe9a5a88e72846358a2f
REFERENCES
- ----------
Guardian Digital's public key:
http://ftp.engardelinux.org/pub/engarde/ENGARDE-GPG-KEY
OpenSSH's Official Web Site:
http://www.openssh.org/
Security Contact: security@guardiandigital.com
EnGarde Advisories: http://www.engardelinux.org/advisories.html
--------------------------------------------------------------------------
Author: Ryan W. Maple, <ryan@guardiandigital.com>
Copyright 2002, Guardian Digital, Inc.
Web Webster has more than 20 years of writing and editorial experience in the tech sector. He’s written and edited news, demand generation, user-focused, and thought leadership content for business software solutions, consumer tech, and Linux Today, he edits and writes for a portfolio of tech industry news and analysis websites including webopedia.com, and DatabaseJournal.com.
LinuxToday is a trusted, contributor-driven news resource supporting all types of Linux users. Our thriving international community engages with us through social media and frequent content contributions aimed at solving problems ranging from personal computing to enterprise-level IT operations. LinuxToday serves as a home for a community that struggles to find comparable information elsewhere on the web.
Property of TechnologyAdvice. © 2025 TechnologyAdvice. All Rights Reserved
Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.