[Security Announce] MDKSA-2002:040 - openssh update (fwd)

[ME]

On Mon, 24 Jun 2002, derf wrote:
> My server is coloed in Texas - you'll hear the screams when I reboot and ssh
> doesn't come back.  

Here is a procedure I have found to work with the openssh-3.3 source
install for my debian systems: (Stolen from the README.privsep in part -
well mostly)

# mkdir /var/empty
# chown root.sys /var/empty
# chmod 755 /var/empty
# addgroup sshd
# useradd -g sshd sshd

Without the above, sshd wont even start with the default
UsePrivilegeSeparation enabled (in openssh-3.3 it is enabled if not
explicitly turned off)

(assuming /usr/local/etc/sshd_config is the location of your sshd_config)

Look for the following names in your sshd_config file:
UsePrivilegeSeparation
Compression

If they do not exist, the safest seems to be:
UsePrivilegeSeparation Yes
Compression No

added at the end.

So far I have found "Compression no" works with the 2.2 series kernels
while nothing or "Compression yes" causes sshd to not accept requests.
My tests only included openssl-0.9.6d.
Omission of "Compression no" is the same as "Compression yes"

After testing a 2.4 series kernel I have found "Compression yes" to work.

NOTE: it defaults to "Compression yes" if not included in the sshd_config
file.
NOTE: "yes" is not he same as "Yes". Use "yes". Do not use "Yes"

-ME

-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCS/CM$/IT$/LS$/S/O$ !d--(++) !s !a+++(-----) C++$(++++) U++++$(+$) P+$>+++ 
L+++$(++) E W+++$(+) N+ o K w+$>++>+++ O-@ M+$ V-$>- !PS !PE Y+ !PGP
t at -(++) 5+@ X@ R- tv- b++ DI+++ D+ G--@ e+>++>++++ h(++)>+ r*>? z?
------END GEEK CODE BLOCK------
decode: http://www.ebb.org/ungeek/ about: http://www.geekcode.com/geek.html