[BlueOnyx:08388] Re: limit ssh access
Michael Stauber
mstauber at blueonyx.it
Tue Sep 6 07:44:53 -05 2011
Hi Eiji Hamano,
> BlueOnyx has now 4.3 OpenSSH, right ?
OpenSSH is supplied by the host OS, so the actual version depends:
BlueOnyx 5106R on CentOS5 uses: openssh-4.3p2-72.el5_6.3
BlueOnyx 5107R on SL6 uses: openssh-5.3p1-52.el6.i686
> So let's upgrade OpenSSH from 4.3 to 4.9.
I'd like to avoid that. Taking any vendor supplied package out of their
maintenance into ours increases support overhead considerably. Additionally
OpenSSH is a very critical component where a little oversight on our behalf
(like failing to notice a potential new vulnerability) can have a very dire
impact on a lot of people. If the vendor supplied OpenSSH on CentOS5 was
vulnerable against some new exploit, I would have no qualms at all to rebuild
it with a fixed version, which would be distributed through our mirrors to
protect BlueOnyx installs. But to do so just to add a new feature that only a
small percentage of BlueOnyx users may need isn't really worth the potential
problems that might arise in the long haul.
Likewise: I'm not entirely convinced that just using a newer OpenSSH is the
answer to the GID problems that arise when trying to chroot a siteAdmin to the
site-root directory. But I'll test this on BlueOnyx 5107R again, where we have
already a newer OpenSSH which supports the "ChrootDirectory" directive out of
the box.
--
With best regards
Michael Stauber
More information about the Blueonyx
mailing list