[rescue] SGI fw_sshd and security
mike at blackhairy.demon.co.uk
Fri Mar 5 16:51:46 CST 2004
On Fri, 5 Mar 2004 17:04:26 -0500, Sheldon T. Hall wrote:
> Jonathan Patschke wrote ...
> > On Fri, 5 Mar 2004, Mike Meredith wrote:
> > > Hmm ... "ldd /usr/freeware/sbin/sshd" shows that "libwrap" is a
> > > required library, so it's included in my Freeware install.
> > They dynamically-linked a security library?
> > Gah, I knew the SGI Freeware maintainers were about as smart as a
> > box of rocks, but that's just -lame!-
They're not the only ones :-
% ldd /usr/lib/ssh/sshd
libsocket.so.1 => /usr/lib/libsocket.so.1
libnsl.so.1 => /usr/lib/libnsl.so.1
libz.so.1 => /usr/lib/libz.so.1
libpam.so.1 => /usr/lib/libpam.so.1
libbsm.so.1 => /usr/lib/libbsm.so.1
libmd5.so.1 => /usr/lib/libmd5.so.1
libwrap.so.1 => /usr/sfw/lib/libwrap.so.1
libc.so.1 => /usr/lib/libc.so.1
libdl.so.1 => /usr/lib/libdl.so.1
libmp.so.2 => /usr/lib/libmp.so.2
libcmd.so.1 => /usr/lib/libcmd.so.1
msm at rasputin - ~
% uname -a
SunOS rasputin 5.9 Generic_112233-08 sun4u sparc SUNW,Sun-Blade-1000
And the SunOS sshd is part of the core o/s not something that's a
bolt-on goodie. I'm a bit rusty on thinking about security and dynamic
loading, but with linkers that allow stuff like LD_PRELOAD isn't
worrying about dynamic libraries a bit pointless ?
(I'm old fashioned ... I assume that if an aggressive attacker gets a
shell prompt he owns the system)
> Not to mention that the OpenSSH tardist available on the main page is
> 3.7.1.p2 (alleged to be OK) while the one in the CD image is 3.6.1.p1,
> which ain't.
I'd say that updating the tardist on the 'net is the right thing to do
... especially when there is no freeware CD anymore (IRIX 6.5.23f
doesn't include it).
More information about the rescue