openssh unix dev - Jun 2002 - For us AIXers ...

On Tue, 25 Jun 2002, Sandor W. Sklar wrote:
> ... who are nervous because:
>
> (a) it seems that there will be a widely-known vulnerability
> and/exploit for OpenSSH available in the coming days, and
>
> (b) the advertised fix for the problem, privilege separation, doesn't
> seem to be working on AIX as of the latest release version of OpenSSH
> (based on the comments I've read; I haven't tried it yet) ...
>
moving aix_usrinfo() into do_setusercontext() is the fix.. And it's
current in the CVS tree.  Mr Tucker was nice enough to provide the patch
and verify it.

The only downfall at this point is TTY= is not set by usrinfo().  At this
moment I've not heard from anyone that has stated this is a problem in the
short term.

- Ben

... who are nervous because:

(a) it seems that there will be a widely-known vulnerability 
and/exploit for OpenSSH available in the coming days, and

(b) the advertised fix for the problem, privilege separation, doesn't 
seem to be working on AIX as of the latest release version of OpenSSH 
(based on the comments I've read; I haven't tried it yet) ...

... what should we do?  I've seen a whole bunch of comments and 
patches flying on the list, but I don't know if any of those patches 
definitively fix the AIX problem, nor do I know whether they will be 
committed to CVS, nor do I know if there will be a new release in the 
next few days incorporating these fixes.

Can someone authoritatively answer this question?

Thanks, --Sandy

-- 
   Sandor W. Sklar  -  Unix Systems Administrator  -  Stanford University ITSS
   Non impediti ratione cogitationis.     http://whippet.stanford.edu/~ssklar/