Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 16 Mar 2011 03:55:24 +0300
From: "Dmitry V. Levin" <ldv@...linux.org>
To: owl-dev@...ts.openwall.com
Subject: Re: OpenSSH update

Hi,

On Wed, Mar 16, 2011 at 01:52:27AM +0300, Solar Designer wrote:
> Dmitry,
> 
> Would you be the one to update the OpenSSH package in Owl, or should we
> assign this task to someone else, likely Vasiliy (if he accepts indeed)?
> 
> You're the primary candidate due to your maintenance of OpenSSH for ALT
> Linux and your familiarity with our patches (which you forward-ported).

I hope I can find enough time for this task.  Unless you want to update
OpenSSH very soon, e.g. on this week, I think you can remain it assigned
to me.

> I notice that you added audit support to ALT's package - was this
> requested by a user?  Are you using this functionality yourself?  Do you
> think we should have it in Owl?

Audit support was introduced into ALT's openssh by another person, this
feature was required to implement some features necessary to meet some
certification criteria.  Unlike Fedora's openssh, there are no specific
audit changes in ALT's package _now_ because upstream audit support
answers our requirements quite well.

> I have mixed feelings about adding auditing support to Owl.  On one
> hand, this is a potentially useful security-relevant feature.  On the
> other, there's been almost no demand for it so far, and it is an added
> risk (extra library code running as root, perhaps even including
> processing of input from remote clients prior to authentication -
> although I did not look into this myself).  One of the advantages of Owl
> is our reduced bloat.  Our sshd is linked against a lot fewer libraries
> than Red Hat's.  The addition of auditing would change this somewhat...

Auditing is a nice feature, but it really adds additional code.  AWAIR
most of the code is not reachable unless auditing is enabled, but I'm not
sure how much of it remains in openssh, need to re-check.  If we are going
to introduce this feature in Owl, then we need audit package and a kernel
with audit support enabled; openssh is not the first package to start with.  


-- 
ldv

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ