Portable openssh.

I hope someone can help me to understand one thing.
What´s the difference between openssh from RedHat and from www.openssh.org?
I have installed a portable openssh 3.5p1-1.rpm on RedHat 7.3 and it was a
year ago.
Now I want to update the latest openssh with openssh-3.1p1-14.i386.rpm från
RedHat Network.

If you look at the version number it lower then the one I have installed, am
I upgrading or downgrading?
Whats the difference? Could anyone tell me or give a tips on a websites that
have this information for a newbie like me.

I did install the openssh-3.1p1-14.i386.rpm anyway on my server and it did
install new sshd_config.rpmnew.
But I restarted sshd without changing the sshd_config and I got following
errors on these options:
UsePrivilegeSeparation
KerberosAuthentication
KerberosOrLocalPasswd
KerberosTicketCleanup

Is my server more secure after the upgrade?

Billy

Gladiator wrote:

> If you look at the version number it lower then the one I have installed,
> am I upgrading or downgrading?
> Whats the difference? Could anyone tell me or give a tips on a websites
> that have this information for a newbie like me.

.... as a rule, the release of [third party] software from a distro
vendor will always be a little bit behind the third party software
vendor.

for example, suse offers gaim v.60, but i can get v.70 directly
from the gaim folks.

in the case of openssh, i'll bet you can update your system with
the latest [security] patches from red hat.

as far as the version numbers you provided: 3.7.1 is the current
release. you say you installed openssh 3.5p1-1.rpm last year
and that the latest at red hat is openssh-3.1p1-14.i386.rpm - yes,
that is for red hat 7.3. 3.5.p1 is for red hat 9. it stands to
reason that a software version for an older release of a distro
will be behind (lower #), as there will be dependencies on the
complete distro package.
..
--
/// Michael J. Tobler: motorcyclist, surfer, skydiver, \\\
\\\ and author: "Inside Linux", "C++ HowTo", "C++ Unleashed" ///
\\\ http://pages.sbcglobal.net/mtobler/mjt_linux_page.html ///
Children are natural mimic who act like their parents despite
every effort to teach them good manners.

Gladiator wrote:

> I hope someone can help me to understand one thing.
> What´s the difference between openssh from RedHat and from www.openssh.org?
> I have installed a portable openssh 3.5p1-1.rpm on RedHat 7.3 and it was a
> year ago.
> Now I want to update the latest openssh with openssh-3.1p1-14.i386.rpm från
> RedHat Network.

Redirected to comp.security.ssh.

OpenSSH does their development work on OpenBSD. All releases happen
first for that platform, and by working on a single platform, it eases
development *A LOT*. The most release is openssh-3.7.1

Another group does the cross-platform changes and patches as a set of
add-ons. These are the openssh-*.p* releases, currently openssh-3.7.1p1.

Many of the new OpenBSD releases have new features that have not been
robustly tested out under RedHat or other Linux releases, or that
significantly change its behavior. A classic case of this was 3.4p1,
which added the "privilege separation" which seriously broke OpenSSH on
a lot of platforms when left enabled, and broke compilation on other
systems.

RedHat, as a policy, seems to backport critical security and performance
patches from all sorts of software, such as OpenSSH, into their
published RPM updates rather than making wild leaps of the entire
package just to get the 10-line security patch. This has kept OpenSSH on
RedHat far, far more reliable and stable than the bleeding edge
openssh-*.p* releases.

> If you look at the version number it lower then the one I have installed, am
> I upgrading or downgrading?
> Whats the difference? Could anyone tell me or give a tips on a websites that
> have this information for a newbie like me.

www.redhat.com, and there are usually notes in the SRPM's and their
..spec files about patches that have been rolled in.

> I did install the openssh-3.1p1-14.i386.rpm anyway on my server and it did
> install new sshd_config.rpmnew.
> But I restarted sshd without changing the sshd_config and I got following
> errors on these options:
> UsePrivilegeSeparation
> KerberosAuthentication
> KerberosOrLocalPasswd
> KerberosTicketCleanup

You'll need to roll in appropriate options from your new
sshd_config.rpmnew into your current sshd_config. That sort of change is
why they try not to jump complete software revisions: if you'd jumped to
3.7.1p1, it would be even worse.

> Is my server more secure after the upgrade?

Probably. Are you using Kerberos? Do you want privilege separation? Turn
them on if you want or need them.

"Gladiator" <(E-Mail Removed)> writes:

]I hope someone can help me to understand one thing.
]What´s the difference between openssh from RedHat and from www.openssh.org?
]I have installed a portable openssh 3.5p1-1.rpm on RedHat 7.3 and it was a
]year ago.

So you went out and got an ssh from the openssh site and installed it?

]Now I want to update the latest openssh with openssh-3.1p1-14.i386.rpm från
]RedHat Network.

And now want to use the RedHat openssh?
1

]If you look at the version number it lower then the one I have installed, am
]I upgrading or downgrading?

downgrading.
However you may have more security patches in the Redhat one.

Why did you install the version from 3.5 in the first place?

If you want to stay with 3.5, you could try downloading the openssh-3.5p1-11.src.rpm
from the Redhat security page, and recompiling that
rpm --rebuild openssh-3.5p1-11.src.rpm
Not guarenteed to work, but there is a chance.


]Whats the difference? Could anyone tell me or give a tips on a websites that
]have this information for a newbie like me.

Go to the openssh web site and look at the complete revision history of openssh to find out what
changes were made between 3.1 and 3.5. Then look at the Redhat patches to see what changes they
made. You obviously felt a year ago that you wanted something from 3.5 that the
standard Redhat issue for 7.3 did not saupply. What was that?


]I did install the openssh-3.1p1-14.i386.rpm anyway on my server and it did
]install new sshd_config.rpmnew.
]But I restarted sshd without changing the sshd_config and I got following
]errors on these options:
]UsePrivilegeSeparation
]KerberosAuthentication
]KerberosOrLocalPasswd
]KerberosTicketCleanup

Yes, there were changes in openssh from 3.1 to 3.5.

]Is my server more secure after the upgrade?

Who knows. You do not have the upgrades made from 3.1 to 3.5 You do have security bug fixes
installed by Redhat to 3.1



]Billy

Gladiator wrote:
> I hope someone can help me to understand one thing.
> What´s the difference between openssh from RedHat and from www.openssh.org?
> I have installed a portable openssh 3.5p1-1.rpm on RedHat 7.3 and it was a
> year ago.
> Now I want to update the latest openssh with openssh-3.1p1-14.i386.rpm från
> RedHat Network.
>
> If you look at the version number it lower then the one I have installed, am
> I upgrading or downgrading?
> Whats the difference? Could anyone tell me or give a tips on a websites that
> have this information for a newbie like me.
>
> I did install the openssh-3.1p1-14.i386.rpm anyway on my server and it did
> install new sshd_config.rpmnew.
> But I restarted sshd without changing the sshd_config and I got following
> errors on these options:
> UsePrivilegeSeparation
> KerberosAuthentication
> KerberosOrLocalPasswd
> KerberosTicketCleanup
>
> Is my server more secure after the upgrade?
>
> Billy
>
>
>
Why did you install an openSSH rpm from Red Hat 9 on a 7.3 system?
Regardless, version wise this new package does two things for you. The
patch level includes security fixes as recently as (I think) last month,
so on the whole your system is more secure. However, since it is an
older version than what you currently have, its missing some more recent
features, hence the sshd_config errors you're seening above.

My recommendation: Either 1) reconfig sshd to use the 3.1p14 package and
don't install rpms from other relases in the future, or 2) if you want
the latest and greatest and can do without Red Hat support, just compile
the thing yourself from openssh.org every time an errata is released
(about once a week these days )

HTH
Neil

--
/************************************************** *
*Neil Horman
*Software Engineer
*Red Hat, Inc., www.redhat.com
*gpg keyid: 1024D / 0x92A74FA1
*http://www.keyserver.net
************************************************** */

> Why did you install an openSSH rpm from Red Hat 9 on a 7.3 system?
I wasn´t aware of that the version of openssh was different depending on
which version of RedHat (7.3 or 9).
(Internet Explorer 6 is same version number regardless if you choose to
install on Win98 or Win2000)

But I will continue to install on the rpm´s from my vendor RedHat.
Thanks for your advices.

Billy




"Neil Horman" <(E-Mail Removed)> skrev i meddelandet
news:bljt8q$b7g$(E-Mail Removed)...
> Gladiator wrote:
> > I hope someone can help me to understand one thing.
> > What´s the difference between openssh from RedHat and from
www.openssh.org?
> > I have installed a portable openssh 3.5p1-1.rpm on RedHat 7.3 and it was
a
> > year ago.
> > Now I want to update the latest openssh with openssh-3.1p1-14.i386.rpm
från
> > RedHat Network.
> >
> > If you look at the version number it lower then the one I have
installed, am
> > I upgrading or downgrading?
> > Whats the difference? Could anyone tell me or give a tips on a websites
that
> > have this information for a newbie like me.
> >
> > I did install the openssh-3.1p1-14.i386.rpm anyway on my server and it
did
> > install new sshd_config.rpmnew.
> > But I restarted sshd without changing the sshd_config and I got
following
> > errors on these options:
> > UsePrivilegeSeparation
> > KerberosAuthentication
> > KerberosOrLocalPasswd
> > KerberosTicketCleanup
> >
> > Is my server more secure after the upgrade?
> >
> > Billy
> >
> >
> >
> Why did you install an openSSH rpm from Red Hat 9 on a 7.3 system?
> Regardless, version wise this new package does two things for you. The
> patch level includes security fixes as recently as (I think) last month,
> so on the whole your system is more secure. However, since it is an
> older version than what you currently have, its missing some more recent
> features, hence the sshd_config errors you're seening above.
>
> My recommendation: Either 1) reconfig sshd to use the 3.1p14 package and
> don't install rpms from other relases in the future, or 2) if you want
> the latest and greatest and can do without Red Hat support, just compile
> the thing yourself from openssh.org every time an errata is released
> (about once a week these days )
>
> HTH
> Neil
>
> --
> /************************************************** *
> *Neil Horman
> *Software Engineer
> *Red Hat, Inc., www.redhat.com
> *gpg keyid: 1024D / 0x92A74FA1
> *http://www.keyserver.net
> ************************************************** */
>

In comp.os.linux.security Gladiator <(E-Mail Removed)> wrote:
> What´s the difference between openssh from RedHat and from www.openssh.org?

The difference is that Redhed packages OpenSSH into an RPM.

> If you look at the version number it lower then the one I have installed, am
> I upgrading or downgrading?

Downgrading. By definition ;-)

> Is my server more secure after the upgrade?

Who knows?

VB.
--
X-Pie Software GmbH
Postfach 1540, 88334 Bad Waldsee
Phone +49-7524-996806 Fax +49-7524-996807
private.php?do=newpm&u= http://www.x-pie.de

Volker Birk wrote:

> In comp.os.linux.security Gladiator <(E-Mail Removed)> wrote:
>
>>What´s the difference between openssh from RedHat and from www.openssh.org?
>
>
> The difference is that Redhed packages OpenSSH into an RPM.
>
>
>>If you look at the version number it lower then the one I have installed, am
>>I upgrading or downgrading?
>
>
> Downgrading. By definition ;-)
>
>
>>Is my server more secure after the upgrade?
>
>
> Who knows?

My ghod, it *IS* Peter Breuer! It must be. No one else gives such
useless, snippy answers with so little content.

Read back to my reply. I explained how and why RedHat rolls back
security patches to older versions of software in older OS releases to
keep from breaking old setups with new features or configuration
changes. OpenSSH is a perfect example, because old and new sshd_config
setups *will not* work with other versions of the software. And there's
nothing quite like upgrading sshd over an SSH session and blowing away
your daemon because of configuration mismatch. *Fortunately*, the RedHat
init scripts seem to only kill the master daemon, not the client session
you're connected over, but if you lose that client session you're dead
meat and have to login at the console.

In comp.os.linux.security Nico Kadel-Garcia <(E-Mail Removed)> wrote:
> My ghod, it *IS* Peter Breuer! It must be. No one else gives such
> useless, snippy answers with so little content.

Funny - WTF is "Peter Breuer"? *Asking Google* Shell I post with
my GnuPG signature for you? ;-)

> Read back to my reply. I explained how and why RedHat rolls back
> security patches to older versions of software in older OS releases to
> keep from breaking old setups with new features or configuration
> changes.

Because they're not translating the config files into the new syntax
if that is needed?

> OpenSSH is a perfect example, because old and new sshd_config
> setups *will not* work with other versions of the software. And there's
> nothing quite like upgrading sshd over an SSH session and blowing away
> your daemon because of configuration mismatch. *Fortunately*, the RedHat
> init scripts seem to only kill the master daemon, not the client session
> you're connected over, but if you lose that client session you're dead
> meat and have to login at the console.

Updating the deamon with which you're connected leads into the problem
to not remove your access to the box, of course.

What exactly was your point? BTW, if you don't want to read my postings,
why not adding me to your killfile?

VB.
--
X-Pie Software GmbH
Postfach 1540, 88334 Bad Waldsee
Phone +49-7524-996806 Fax +49-7524-996807
private.php?do=newpm&u= http://www.x-pie.de

Volker Birk wrote:
> In comp.os.linux.security Nico Kadel-Garcia <(E-Mail Removed)> wrote:
>
>>My ghod, it *IS* Peter Breuer! It must be. No one else gives such
>>useless, snippy answers with so little content.
>
>
> Funny - WTF is "Peter Breuer"? *Asking Google* Shell I post with
> my GnuPG signature for you? ;-)

He's a guy who snaps off one-liner answers to newbie questions claiming
lots of knowledge, which translate to "RTFM" or "no one would ever need
to do that". He's not nice, and not helpful. You've actually shown far
more comprehension of the material elsewhere, so I'll take the Peter
Breuer claim back.

Please note, since we're posting in comp.os.linux.security: all a PGP
key proves is that you have the same key as someone who used it
elsewhere. It's next to useless for proving you're *NOT* someone else,
unless someone you trust signs each key and thus vouches for the
person's identity. But lots of people have signed PGP keys for aliases.

>>Read back to my reply. I explained how and why RedHat rolls back
>>security patches to older versions of software in older OS releases to
>>keep from breaking old setups with new features or configuration
>>changes.
>
>
> Because they're not translating the config files into the new syntax
> if that is needed?

Because this process is extremely difficult to do reliably for an
automated procedure. Examples include sites that use alternative SSH
ports, and thus you'd have to find and auto-edit all of their
configuration files.

Bind and apache and NTP are almost as bad with local subtleties embedded
into the configurations that really need hand-holding to update.
Configuration testing these things is *work*.

>>OpenSSH is a perfect example, because old and new sshd_config
>>setups *will not* work with other versions of the software. And there's
>>nothing quite like upgrading sshd over an SSH session and blowing away
>>your daemon because of configuration mismatch. *Fortunately*, the RedHat
>>init scripts seem to only kill the master daemon, not the client session
>>you're connected over, but if you lose that client session you're dead
>>meat and have to login at the console.
>
>
> Updating the deamon with which you're connected leads into the problem
> to not remove your access to the box, of course.

Yup. I've literally faced this problem with machines across the coast,
doing security patches of tools like libc, glibc, kernels, SSH and
OpenSSH, etc.

> What exactly was your point? BTW, if you don't want to read my postings,
> why not adding me to your killfile?

As long as someone at least has *something* useful to say, which you
seem to (I took back the Peter Breuer shot!), I'd rather not. I prefer
to confront or correct errors than leave them unnoticed: it's why I
submit software patches....